diff -Nura php-5.1.4/Changelog.hphp hardening-patch-5.1.4-0.4.15/Changelog.hphp
--- php-5.1.4/Changelog.hphp	1970-01-01 01:00:00.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/Changelog.hphp	2006-09-07 19:32:29.000000000 +0200
@@ -0,0 +1,61 @@
+Changelog of the Hardening-Patch
+--------------------------------
+
+0.4.15 - 07. September 2006
+
+	PHP4:
+		[+] Fix for potential DOS in handling of include blacklists
+		
+	PHP4+5:
+		[+] Backported a fix for open_basedir problems with insanse PHP scripts
+		[+] Added a fix for ini_restore() PHP security vulnerability
+
+0.4.14 - 11. August 2006
+
+    PHP4:
+        [+] Remove unecessary call to AC_BROKEN_REALPATH
+
+    PHP5:
+        [+] Fix Remote URL Include Protection - Thanks to: Bart Vanbrabant
+	
+    PHP4+5:
+        [+] Added a few PHP security fixes / see changelog.secfix for details
+	[+] Fixed the memory_limit protection for systems with different perdir memory_limits
+	[+] Fixed a possible memory corruption when foreach() is used with wrong arguments
+
+0.4.13 - 07. August 2006
+
+    PHP4+5:
+        [+] Added a fix for a compile problem on solaris due to missing strcasestr()
+
+0.4.12 - 19. July 2006
+
+    PHP4:
+        [+] Added fixes from sf4 security patch / see changelog.secfix for details
+
+    PHP5:
+        [+] Added fixes from sf5 security patch / see changelog.secfix for details
+	
+    PHP4+5:
+	[+] Added anti mail spam feature
+	[+] Speedup of zend_hash canary (clear/destroy)
+	[+] Added a fix for a DOS in the handling of URL blacklists
+
+0.4.11 - 13. May 2006
+
+    PHP5:
+        [+] tsrm_virtual_cwd.c: close open_basedir, safe_mode hole introduced by realpath() cache
+	[+] install-pear-nozlib.phar: bundle in full package download of 5.1.4
+	
+    PHP4+5:
+	[+] tsrm_virtual_cwd.c: realpath() hotfix to solve problems with non existing directories
+
+
+0.4.10 - 11. May 2006
+	
+    PHP4:
+	[+] info.c: backport from 5.1.4 contained TSRMLS macro that had to be removed
+	
+    PHP4+5:
+	[+] fopen_wrappers.c: fix for a trailing slash problem with open_basedir
+	
diff -Nura php-5.1.4/Changelog.secfix hardening-patch-5.1.4-0.4.15/Changelog.secfix
--- php-5.1.4/Changelog.secfix	1970-01-01 01:00:00.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/Changelog.secfix	2006-09-05 20:31:02.000000000 +0200
@@ -0,0 +1,40 @@
+Changelog of PHP 5.1.4 Security Fixes
+
+Release 6 - 11. August 2006
+
+    [+] Added IMAP open_basedir/safe_mode check
+    [+] Added a fix for previous ext/session fixes
+    [+] Added upstream fix to ext/socket
+    [+] Added sscanf() security fix
+    [+] Added fixes for handling of corrupt .gif files to gdlib
+
+Release 5 - 13. July 2006
+
+    [+] Fixed compilation of Security-Patch Release 4 in ZTS mode
+
+Release 4 - 13. July 2006
+
+    [+] Added a recursive array printing fix to the phpinfo() XSS fix
+    [+] Added a fix for stat() on non existing files in safe_mode
+
+Release 3 - 07. July 2006
+
+    [+] Added a fix for an integer overflow in str_repeat()
+    [+] Added a *working* wordwrap() fix
+    [+] Added code to make memory_limit work on 64bit systems
+    [+] Added a fix for the error_log() safe_mode/open_basedir vulnerability
+    [+] Added a fix for overlong tempfilename
+    [+] Added multiple fixes for new safe_mode/open_basedir problems in ext/curl
+    [+] Added a high characters fix to ext/wddx 
+
+Release 2 - 16. May 2006
+
+    [+] Remove install-pear-nozlib.phar from the patchfile, because the official PHP
+        tarball got updated
+
+Release 1 - 13. May 2006
+
+    [+] Bundle install-pear-nozlib.phar which was missing in the official PHP tarball
+        and is downloaded when make install is called (usually as root -> security risk)
+    [+] Fixed open_basedir/safe_mode bypass via the realpath() cache
+
diff -Nura php-5.1.4/configure hardening-patch-5.1.4-0.4.15/configure
--- php-5.1.4/configure	2006-05-12 16:41:10.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/configure	2006-09-05 20:31:02.000000000 +0200
@@ -942,6 +942,16 @@
 ac_help="$ac_help
   --with-libdir=NAME      Look for libraries in .../NAME rather than .../lib"
 ac_help="$ac_help
+  --disable-hardening-patch-mm-protect    Disable the Memory Manager protection."
+ac_help="$ac_help
+  --disable-hardening-patch-ll-protect    Disable the Linked List protection."
+ac_help="$ac_help
+  --disable-hardening-patch-inc-protect   Disable include/require protection."
+ac_help="$ac_help
+  --disable-hardening-patch-fmt-protect   Disable format string protection."
+ac_help="$ac_help
+  --disable-hardening-patch-hash-protect  Disable Zend HashTable DTOR protection."
+ac_help="$ac_help
 
 SAPI modules:
 "
@@ -1410,6 +1420,8 @@
 ac_help="$ac_help
   --enable-wddx           Enable WDDX support"
 ac_help="$ac_help
+  --disable-varfilter     Disable Hardening-Patch's variable filter"
+ac_help="$ac_help
   --disable-xml           Disable XML support"
 ac_help="$ac_help
   --with-libxml-dir=DIR     XML: libxml2 install prefix"
@@ -3618,6 +3630,157 @@
 
 
 
+# Check whether --enable-hardening-patch-mm-protect or --disable-hardening-patch-mm-protect was given.
+if test "${enable_hardening_patch_mm_protect+set}" = set; then
+  enableval="$enable_hardening_patch_mm_protect"
+  
+  DO_HARDENING_PATCH_MM_PROTECT=$enableval
+
+else
+  
+  DO_HARDENING_PATCH_MM_PROTECT=yes
+
+fi
+
+
+# Check whether --enable-hardening-patch-ll-protect or --disable-hardening-patch-ll-protect was given.
+if test "${enable_hardening_patch_ll_protect+set}" = set; then
+  enableval="$enable_hardening_patch_ll_protect"
+  
+  DO_HARDENING_PATCH_LL_PROTECT=$enableval
+
+else
+  
+  DO_HARDENING_PATCH_LL_PROTECT=yes
+
+fi
+
+
+# Check whether --enable-hardening-patch-inc-protect or --disable-hardening-patch-inc-protect was given.
+if test "${enable_hardening_patch_inc_protect+set}" = set; then
+  enableval="$enable_hardening_patch_inc_protect"
+  
+  DO_HARDENING_PATCH_INC_PROTECT=$enableval
+
+else
+  
+  DO_HARDENING_PATCH_INC_PROTECT=yes
+
+fi
+
+
+# Check whether --enable-hardening-patch-fmt-protect or --disable-hardening-patch-fmt-protect was given.
+if test "${enable_hardening_patch_fmt_protect+set}" = set; then
+  enableval="$enable_hardening_patch_fmt_protect"
+  
+  DO_HARDENING_PATCH_FMT_PROTECT=$enableval
+
+else
+  
+  DO_HARDENING_PATCH_FMT_PROTECT=yes
+
+fi
+
+
+# Check whether --enable-hardening-patch-hash-protect or --disable-hardening-patch-hash-protect was given.
+if test "${enable_hardening_patch_hash_protect+set}" = set; then
+  enableval="$enable_hardening_patch_hash_protect"
+  
+  DO_HARDENING_PATCH_HASH_PROTECT=$enableval
+
+else
+  
+  DO_HARDENING_PATCH_HASH_PROTECT=yes
+
+fi
+
+
+echo $ac_n "checking whether to protect the Zend Memory Manager""... $ac_c" 1>&6
+echo "configure:2725: checking whether to protect the Zend Memory Manager" >&5
+echo "$ac_t""$DO_HARDENING_PATCH_MM_PROTECT" 1>&6
+
+echo $ac_n "checking whether to protect the Zend Linked Lists""... $ac_c" 1>&6
+echo "configure:2729: checking whether to protect the Zend Linked Lists" >&5
+echo "$ac_t""$DO_HARDENING_PATCH_LL_PROTECT" 1>&6
+
+echo $ac_n "checking whether to protect include/require statements""... $ac_c" 1>&6
+echo "configure:2733: checking whether to protect include/require statements" >&5
+echo "$ac_t""$DO_HARDENING_PATCH_INC_PROTECT" 1>&6
+
+echo $ac_n "checking whether to protect PHP Format String functions""... $ac_c" 1>&6
+echo "configure:2737: checking whether to protect PHP Format String functions" >&5
+echo "$ac_t""$DO_HARDENING_PATCH_FMT_PROTECT" 1>&6
+
+echo $ac_n "checking whether to protect the Zend HashTable Destructors""... $ac_c" 1>&6
+echo "configure:2737: checking whether to protect the Zend HashTable Destructors" >&5
+echo "$ac_t""$DO_HARDENING_PATCH_HASH_PROTECT" 1>&6
+
+
+cat >> confdefs.h <<\EOF
+#define HARDENING_PATCH 1
+EOF
+
+
+
+if test "$DO_HARDENING_PATCH_MM_PROTECT" = "yes"; then
+  cat >> confdefs.h <<\EOF
+#define HARDENING_PATCH_MM_PROTECT 1
+EOF
+
+else
+  cat >> confdefs.h <<\EOF
+#define HARDENING_PATCH_MM_PROTECT 0
+EOF
+
+fi
+
+if test "$DO_HARDENING_PATCH_LL_PROTECT" = "yes"; then
+  cat >> confdefs.h <<\EOF
+#define HARDENING_PATCH_LL_PROTECT 1
+EOF
+
+else
+  cat >> confdefs.h <<\EOF
+#define HARDENING_PATCH_LL_PROTECT 0
+EOF
+
+fi
+
+if test "$DO_HARDENING_PATCH_INC_PROTECT" = "yes"; then
+  cat >> confdefs.h <<\EOF
+#define HARDENING_PATCH_INC_PROTECT 1
+EOF
+
+else
+  cat >> confdefs.h <<\EOF
+#define HARDENING_PATCH_INC_PROTECT 0
+EOF
+
+fi
+
+if test "$DO_HARDENING_PATCH_FMT_PROTECT" = "yes"; then
+  cat >> confdefs.h <<\EOF
+#define HARDENING_PATCH_FMT_PROTECT 1
+EOF
+
+else
+  cat >> confdefs.h <<\EOF
+#define HARDENING_PATCH_FMT_PROTECT 0
+EOF
+
+fi
+
+if test "$DO_HARDENING_PATCH_HASH_PROTECT" = "yes"; then
+  cat >> confdefs.h <<\EOF
+#define HARDENING_PATCH_HASH_PROTECT 1
+EOF
+
+else
+  cat >> confdefs.h <<\EOF
+#define HARDENING_PATCH_HASH_PROTECT 0
+EOF
+
+fi
 
 
 
@@ -18607,6 +18770,62 @@
 fi
 
 
+  echo $ac_n "checking whether realpath is broken""... $ac_c" 1>&6
+echo "configure:14928: checking whether realpath is broken" >&5
+if eval "test \"`echo '$''{'ac_cv_broken_realpath'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+    if test "$cross_compiling" = yes; then
+  
+      ac_cv_broken_realpath=no
+    
+else
+  cat > conftest.$ac_ext <<EOF
+#line 14939 "configure"
+#include "confdefs.h"
+
+main() {
+	char buf[4096+1];
+	buf[0] = 0;
+	realpath("/etc/hosts/../passwd", buf);
+	exit(strcmp(buf, "/etc/passwd")==0); 
+}
+    
+EOF
+if { (eval echo configure:14958: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+then
+  
+      ac_cv_broken_realpath=no
+    
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  
+      ac_cv_broken_realpath=yes
+    
+fi
+rm -fr conftest*
+fi
+
+  
+fi
+
+echo "$ac_t""$ac_cv_broken_realpath" 1>&6
+  if test "$ac_cv_broken_realpath" = "yes"; then
+    cat >> confdefs.h <<\EOF
+#define PHP_BROKEN_REALPATH 1
+EOF
+
+  else
+    cat >> confdefs.h <<\EOF
+#define PHP_BROKEN_REALPATH 0
+EOF
+
+  fi
+
+
   echo $ac_n "checking for declared timezone""... $ac_c" 1>&6
 echo "configure:18612: checking for declared timezone" >&5
 if eval "test \"`echo '$''{'ac_cv_declared_timezone'+set}'`\" = set"; then
@@ -89422,7 +89641,7 @@
   if test "$ac_cv_crypt_blowfish" = "yes"; then
     ac_result=1
   else
-    ac_result=0
+    ac_result=1
   fi
   cat >> confdefs.h <<EOF
 #define PHP_BLOWFISH_CRYPT $ac_result
@@ -92022,7 +92241,7 @@
                             incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
                             http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
                             var_unserializer.c ftok.c sha1.c user_filters.c uuencode.c \
-                            filters.c proc_open.c streamsfuncs.c http.c; do
+                            filters.c proc_open.c streamsfuncs.c http.c sha256.c crypt_blowfish.c ; do
   
       IFS=.
       set $ac_src
@@ -92081,7 +92300,7 @@
                             incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
                             http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
                             var_unserializer.c ftok.c sha1.c user_filters.c uuencode.c \
-                            filters.c proc_open.c streamsfuncs.c http.c; do
+                            filters.c proc_open.c streamsfuncs.c http.c sha256.c crypt_blowfish.c ; do
   
       IFS=.
       set $ac_src
@@ -92211,7 +92430,7 @@
                             incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
                             http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
                             var_unserializer.c ftok.c sha1.c user_filters.c uuencode.c \
-                            filters.c proc_open.c streamsfuncs.c http.c; do
+                            filters.c proc_open.c streamsfuncs.c http.c sha256.c crypt_blowfish.c ; do
   
       IFS=.
       set $ac_src
@@ -92266,7 +92485,7 @@
                             incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
                             http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
                             var_unserializer.c ftok.c sha1.c user_filters.c uuencode.c \
-                            filters.c proc_open.c streamsfuncs.c http.c; do
+                            filters.c proc_open.c streamsfuncs.c http.c sha256.c crypt_blowfish.c ; do
   
       IFS=.
       set $ac_src
@@ -96101,6 +96320,265 @@
 fi
 
 
+echo $ac_n "checking whether to enable Hardening-Patch's variable filter""... $ac_c" 1>&6
+echo "configure:82041: checking whether to enable Hardening-Patch's variable filter" >&5
+# Check whether --enable-varfilter or --disable-varfilter was given.
+if test "${enable_varfilter+set}" = set; then
+  enableval="$enable_varfilter"
+  PHP_VARFILTER=$enableval
+else
+  
+  PHP_VARFILTER=yes
+
+  if test "$PHP_ENABLE_ALL" && test "yes" = "yes"; then
+    PHP_VARFILTER=$PHP_ENABLE_ALL
+  fi
+
+fi
+
+
+
+ext_output="yes, shared"
+ext_shared=yes
+case $PHP_VARFILTER in
+shared,*)
+  PHP_VARFILTER=`echo "$PHP_VARFILTER"|sed 's/^shared,//'`
+  ;;
+shared)
+  PHP_VARFILTER=yes
+  ;;
+no)
+  ext_output=no
+  ext_shared=no
+  ;;
+*)
+  ext_output=yes
+  ext_shared=no
+  ;;
+esac
+
+
+
+echo "$ac_t""$ext_output" 1>&6
+
+
+
+
+if test "$PHP_VARFILTER" != "no"; then
+  cat >> confdefs.h <<\EOF
+#define HAVE_VARFILTER 1
+EOF
+
+  
+  ext_builddir=ext/varfilter
+  ext_srcdir=$abs_srcdir/ext/varfilter
+
+  ac_extra=
+
+  if test "$ext_shared" != "shared" && test "$ext_shared" != "yes" && test "" != "cli"; then
+
+    
+  
+  case ext/varfilter in
+  "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
+  /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
+  *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
+  esac
+  
+  
+
+  b_c_pre=$php_c_pre
+  b_cxx_pre=$php_cxx_pre
+  b_c_meta=$php_c_meta
+  b_cxx_meta=$php_cxx_meta
+  b_c_post=$php_c_post
+  b_cxx_post=$php_cxx_post
+  b_lo=$php_lo
+
+
+  old_IFS=$IFS
+  for ac_src in varfilter.c; do
+  
+      IFS=.
+      set $ac_src
+      ac_obj=$1
+      IFS=$old_IFS
+      
+      PHP_GLOBAL_OBJS="$PHP_GLOBAL_OBJS $ac_bdir$ac_obj.lo"
+
+      case $ac_src in
+	  *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
+	  *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
+      esac
+
+	  cat >>Makefile.objects<<EOF
+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
+	$ac_comp
+EOF
+  done
+
+
+    EXT_STATIC="$EXT_STATIC varfilter"
+    if test "$ext_shared" != "nocli"; then
+      EXT_CLI_STATIC="$EXT_CLI_STATIC varfilter"
+    fi
+  else
+    if test "$ext_shared" = "shared" || test "$ext_shared" = "yes"; then
+      
+  case ext/varfilter in
+  "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
+  /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
+  *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
+  esac
+  
+  
+
+  b_c_pre=$shared_c_pre
+  b_cxx_pre=$shared_cxx_pre
+  b_c_meta=$shared_c_meta
+  b_cxx_meta=$shared_cxx_meta
+  b_c_post=$shared_c_post
+  b_cxx_post=$shared_cxx_post
+  b_lo=$shared_lo
+
+
+  old_IFS=$IFS
+  for ac_src in varfilter.c; do
+  
+      IFS=.
+      set $ac_src
+      ac_obj=$1
+      IFS=$old_IFS
+      
+      shared_objects_varfilter="$shared_objects_varfilter $ac_bdir$ac_obj.lo"
+
+      case $ac_src in
+	  *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
+	  *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
+      esac
+
+	  cat >>Makefile.objects<<EOF
+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
+	$ac_comp
+EOF
+  done
+
+      
+  install_modules="install-modules"
+  PHP_MODULES="$PHP_MODULES \$(phplibdir)/varfilter.la"
+  
+  PHP_VAR_SUBST="$PHP_VAR_SUBST shared_objects_varfilter"
+
+  cat >>Makefile.objects<<EOF
+\$(phplibdir)/varfilter.la: $ext_builddir/varfilter.la
+	\$(LIBTOOL) --mode=install cp $ext_builddir/varfilter.la \$(phplibdir)
+
+$ext_builddir/varfilter.la: \$(shared_objects_varfilter) \$(VARFILTER_SHARED_DEPENDENCIES)
+	\$(LIBTOOL) --mode=link \$(CC) \$(COMMON_FLAGS) \$(CFLAGS_CLEAN) \$(EXTRA_CFLAGS) \$(LDFLAGS) -o \$@ -export-dynamic -avoid-version -prefer-pic -module -rpath \$(phplibdir) \$(EXTRA_LDFLAGS) \$(shared_objects_varfilter) \$(VARFILTER_SHARED_LIBADD)
+
+EOF
+
+      cat >> confdefs.h <<EOF
+#define COMPILE_DL_VARFILTER 1
+EOF
+
+    fi
+  fi
+
+  if test "$ext_shared" != "shared" && test "$ext_shared" != "yes" && test "" = "cli"; then
+    if test "$PHP_SAPI" = "cgi"; then
+      
+  
+  case ext/varfilter in
+  "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
+  /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
+  *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
+  esac
+  
+  
+
+  b_c_pre=$php_c_pre
+  b_cxx_pre=$php_cxx_pre
+  b_c_meta=$php_c_meta
+  b_cxx_meta=$php_cxx_meta
+  b_c_post=$php_c_post
+  b_cxx_post=$php_cxx_post
+  b_lo=$php_lo
+
+
+  old_IFS=$IFS
+  for ac_src in varfilter.c; do
+  
+      IFS=.
+      set $ac_src
+      ac_obj=$1
+      IFS=$old_IFS
+      
+      PHP_GLOBAL_OBJS="$PHP_GLOBAL_OBJS $ac_bdir$ac_obj.lo"
+
+      case $ac_src in
+	  *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
+	  *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
+      esac
+
+	  cat >>Makefile.objects<<EOF
+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
+	$ac_comp
+EOF
+  done
+
+
+      EXT_STATIC="$EXT_STATIC varfilter"
+    else
+      
+  
+  case ext/varfilter in
+  "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
+  /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
+  *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
+  esac
+  
+  
+
+  b_c_pre=$php_c_pre
+  b_cxx_pre=$php_cxx_pre
+  b_c_meta=$php_c_meta
+  b_cxx_meta=$php_cxx_meta
+  b_c_post=$php_c_post
+  b_cxx_post=$php_cxx_post
+  b_lo=$php_lo
+
+
+  old_IFS=$IFS
+  for ac_src in varfilter.c; do
+  
+      IFS=.
+      set $ac_src
+      ac_obj=$1
+      IFS=$old_IFS
+      
+      PHP_CLI_OBJS="$PHP_CLI_OBJS $ac_bdir$ac_obj.lo"
+
+      case $ac_src in
+	  *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
+	  *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
+      esac
+
+	  cat >>Makefile.objects<<EOF
+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
+	$ac_comp
+EOF
+  done
+
+
+    fi
+    EXT_CLI_STATIC="$EXT_CLI_STATIC varfilter"
+  fi
+  
+  BUILD_DIR="$BUILD_DIR $ext_builddir"
+
+
+fi
 
 
 echo $ac_n "checking whether to enable WDDX support""... $ac_c" 1>&6
@@ -112351,7 +112829,7 @@
        php_ini.c SAPI.c rfc1867.c php_content_types.c strlcpy.c \
        strlcat.c mergesort.c reentrancy.c php_variables.c php_ticks.c \
        network.c php_open_temporary_file.c php_logos.c \
-       output.c ; do
+       output.c hardening_patch.c ; do
   
       IFS=.
       set $ac_src
@@ -112596,7 +113074,7 @@
     zend_variables.c zend.c zend_API.c zend_extensions.c zend_hash.c \
     zend_list.c zend_indent.c zend_builtin_functions.c zend_sprintf.c \
     zend_ini.c zend_qsort.c zend_multibyte.c zend_ts_hash.c zend_stream.c \
-    zend_iterators.c zend_interfaces.c zend_exceptions.c zend_strtod.c; do
+    zend_iterators.c zend_interfaces.c zend_exceptions.c zend_strtod.c zend_canary.c; do
   
       IFS=.
       set $ac_src
diff -Nura php-5.1.4/configure.in hardening-patch-5.1.4-0.4.15/configure.in
--- php-5.1.4/configure.in	2006-05-04 01:30:02.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/configure.in	2006-09-05 20:31:02.000000000 +0200
@@ -209,7 +209,7 @@
 
 sinclude(Zend/Zend.m4)
 sinclude(TSRM/tsrm.m4)
-
+sinclude(main/hardening_patch.m4)
 
 divert(2)
 
@@ -1275,7 +1275,7 @@
        php_ini.c SAPI.c rfc1867.c php_content_types.c strlcpy.c \
        strlcat.c mergesort.c reentrancy.c php_variables.c php_ticks.c \
        network.c php_open_temporary_file.c php_logos.c \
-       output.c )
+       output.c hardening_patch.c )
 
 PHP_ADD_SOURCES(main/streams, streams.c cast.c memory.c filter.c \
        plain_wrapper.c userspace.c transports.c xp_socket.c mmap.c)
@@ -1302,7 +1302,7 @@
     zend_variables.c zend.c zend_API.c zend_extensions.c zend_hash.c \
     zend_list.c zend_indent.c zend_builtin_functions.c zend_sprintf.c \
     zend_ini.c zend_qsort.c zend_multibyte.c zend_ts_hash.c zend_stream.c \
-    zend_iterators.c zend_interfaces.c zend_exceptions.c zend_strtod.c)
+    zend_iterators.c zend_interfaces.c zend_exceptions.c zend_strtod.c zend_canary.c )
 
 if test -r "$abs_srcdir/Zend/zend_objects.c"; then
   PHP_ADD_SOURCES(Zend, zend_objects.c zend_object_handlers.c zend_objects_API.c zend_mm.c \
diff -Nura php-5.1.4/ext/curl/interface.c hardening-patch-5.1.4-0.4.15/ext/curl/interface.c
--- php-5.1.4/ext/curl/interface.c	2006-04-13 13:26:10.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/ext/curl/interface.c	2006-09-05 20:31:02.000000000 +0200
@@ -167,6 +167,11 @@
 			RETURN_FALSE; 																		\
 		} 																						\
 																								\
+		if (php_memnstr(str, tmp_url->path, strlen(tmp_url->path), str + len)) {				\
+		         php_error_docref(NULL TSRMLS_CC, E_WARNING, "Url '%s' contains unencoded control characters.", str);	\
+		         RETURN_FALSE;																	\
+		}																						\
+																								\
 		if (tmp_url->query || tmp_url->fragment || php_check_open_basedir(tmp_url->path TSRMLS_CC) || 									\
 			(PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM))	\
 		) { 																					\
@@ -1065,7 +1070,6 @@
 		case CURLOPT_FTPLISTONLY:
 		case CURLOPT_FTPAPPEND:
 		case CURLOPT_NETRC:
-		case CURLOPT_FOLLOWLOCATION:
 		case CURLOPT_PUT:
 #if CURLOPT_MUTE != 0
 		 case CURLOPT_MUTE:
@@ -1116,6 +1120,16 @@
 			convert_to_long_ex(zvalue);
 			error = curl_easy_setopt(ch->cp, option, Z_LVAL_PP(zvalue));
 			break;
+		case CURLOPT_FOLLOWLOCATION:
+			convert_to_long_ex(zvalue);
+			if ((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) {
+				if (Z_LVAL_PP(zvalue) != 0) {
+					php_error_docref(NULL TSRMLS_CC, E_WARNING, "CURLOPT_FOLLOWLOCATION cannot be activated when in safe_mode or an open_basedir is set");
+					RETURN_FALSE;
+				}
+			}
+			error = curl_easy_setopt(ch->cp, option, Z_LVAL_PP(zvalue));
+			break;
 		case CURLOPT_URL:
 		case CURLOPT_PROXY:
 		case CURLOPT_USERPWD:
diff -Nura php-5.1.4/ext/curl/streams.c hardening-patch-5.1.4-0.4.15/ext/curl/streams.c
--- php-5.1.4/ext/curl/streams.c	2006-01-01 13:50:01.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/curl/streams.c	2006-09-05 20:31:02.000000000 +0200
@@ -289,7 +289,11 @@
 	curl_easy_setopt(curlstream->curl, CURLOPT_WRITEHEADER, stream);
 
 	/* currently buggy (bug is in curl) */
-	curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 1);
+	if ((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) {
+		curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 0);
+	} else {
+		curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 1);
+	}
 	
 	curl_easy_setopt(curlstream->curl, CURLOPT_ERRORBUFFER, curlstream->errstr);
 	curl_easy_setopt(curlstream->curl, CURLOPT_VERBOSE, 0);
diff -Nura php-5.1.4/ext/fbsql/php_fbsql.c hardening-patch-5.1.4-0.4.15/ext/fbsql/php_fbsql.c
--- php-5.1.4/ext/fbsql/php_fbsql.c	2006-01-01 13:50:06.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/fbsql/php_fbsql.c	2006-09-05 20:31:02.000000000 +0200
@@ -1925,8 +1925,24 @@
 	}
 	else if (fbcmdErrorsFound(md))
 	{
+#if HARDENING_PATCH
+		char*	query_copy;
+		int i;
+#endif
 		FBCErrorMetaData* emd = fbcdcErrorMetaData(c, md);
 		char*             emg = fbcemdAllErrorMessages(emd);
+#if HARDENING_PATCH
+		query_copy=estrdup(query_copy);
+		for (i=0; query_copy[i]; i++) if (query_copy[i]<32) query_copy[i]='.';
+		php_security_log(S_SQL, "fbsql error: %s - query: %s", emg, query_copy);
+		efree(query_copy);
+		if (HG(hphp_sql_bailout_on_error)) {
+			free(emg);
+			fbcemdRelease(emd);
+			result = 0;
+			zend_bailout();
+		}
+#endif
 		if (FB_SQL_G(generateWarnings))
 		{
 			if (emg)
diff -Nura php-5.1.4/ext/gd/libgd/gd.c hardening-patch-5.1.4-0.4.15/ext/gd/libgd/gd.c
--- php-5.1.4/ext/gd/libgd/gd.c	2005-09-30 22:48:05.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/ext/gd/libgd/gd.c	2006-09-05 20:31:02.000000000 +0200
@@ -2161,7 +2161,7 @@
 				for (x = 0; (x < w); x++) {
 					int c = gdImageGetPixel (src, srcX + x, srcY + y);
 					if (c != src->transparent) {
-						gdImageSetPixel (dst, dstX + x, dstY + y, gdTrueColor(src->red[c], src->green[c], src->blue[c]));
+						gdImageSetPixel(dst, dstX + x, dstY + y, gdTrueColorAlpha(src->red[c], src->green[c], src->blue[c], src->alpha[c]));
 					}
 				}
 			}
diff -Nura php-5.1.4/ext/gd/libgd/gd_gd2.c hardening-patch-5.1.4-0.4.15/ext/gd/libgd/gd_gd2.c
--- php-5.1.4/ext/gd/libgd/gd_gd2.c	2005-08-18 14:54:43.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/ext/gd/libgd/gd_gd2.c	2006-09-05 20:31:02.000000000 +0200
@@ -430,6 +430,10 @@
 
 	gdImagePtr im;
 
+	if (w<1 || h <1) {
+		return 0;
+	}
+
 	/* The next few lines are basically copied from gd2CreateFromFile
 	 * we change the file size, so don't want to use the code directly.
 	 * but we do need to know the file size.
diff -Nura php-5.1.4/ext/gd/libgd/gd_gif_in.c hardening-patch-5.1.4-0.4.15/ext/gd/libgd/gd_gif_in.c
--- php-5.1.4/ext/gd/libgd/gd_gif_in.c	2005-09-24 16:39:16.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/ext/gd/libgd/gd_gif_in.c	2006-09-05 20:31:02.000000000 +0200
@@ -44,7 +44,7 @@
 #define LOCALCOLORMAP  0x80
 #define BitSet(byte, bit)      (((byte) & (bit)) == (bit))
 
-#define        ReadOK(file,buffer,len) (gdGetBuf(buffer, len, file) != 0)
+#define        ReadOK(file,buffer,len) (gdGetBuf(buffer, len, file) > 0)
 
 #define LM_to_uint(a,b)                        (((b)<<8)|(a))
 
@@ -147,6 +147,9 @@
        Background      = buf[5];
        AspectRatio     = buf[6];
 
+		imw = LM_to_uint(buf[0],buf[1]);
+		imh = LM_to_uint(buf[2],buf[3]);
+
        if (BitSet(buf[4], LOCALCOLORMAP)) {    /* Global Colormap */
                if (ReadColorMap(fd, BitPixel, ColorMap)) {
 			return 0;
@@ -182,14 +185,13 @@
 
                bitPixel = 1<<((buf[8]&0x07)+1);
 
-               imw = LM_to_uint(buf[4],buf[5]);
-               imh = LM_to_uint(buf[6],buf[7]);
-	       if (!(im = gdImageCreate(imw, imh))) {
-			 return 0;
-	       }
+		if (!(im = gdImageCreate(imw, imh))) {
+			return 0;
+		}
+
                im->interlace = BitSet(buf[8], INTERLACE);
                if (! useGlobalColormap) {
-                       if (ReadColorMap(fd, bitPixel, localColorMap)) {
+		       if (ReadColorMap(fd, bitPixel, localColorMap)) {
                                  return 0;
                        }
                        ReadImage(im, fd, imw, imh, localColorMap,
@@ -212,6 +214,10 @@
        if (!im) {
 		return 0;
        }
+	if (!im->colorsTotal) {
+		gdImageDestroy(im);
+		return 0;
+	}
        /* Check for open colors at the end, so
           we can reduce colorsTotal and ultimately
           BitsPerPixel */
@@ -502,6 +508,18 @@
        int             v;
        int             xpos = 0, ypos = 0, pass = 0;
        int i;
+
+       /*
+       **  Initialize the Compression routines
+       */
+       if (! ReadOK(fd,&c,1)) {
+               return;
+       }
+
+	if (c > MAX_LWZ_BITS) {
+		return;
+	}
+
        /* Stash the color map into the image */
        for (i=0; (i<gdMaxColors); i++) {
                im->red[i] = cmap[CM_RED][i];
@@ -511,12 +529,7 @@
        }
        /* Many (perhaps most) of these colors will remain marked open. */
        im->colorsTotal = gdMaxColors;
-       /*
-       **  Initialize the Compression routines
-       */
-       if (! ReadOK(fd,&c,1)) {
-               return;
-       }
+
        if (LWZReadByte(fd, TRUE, c) < 0) {
                return;
        }
diff -Nura php-5.1.4/ext/gd/libgd/gd_gif_out.c hardening-patch-5.1.4-0.4.15/ext/gd/libgd/gd_gif_out.c
--- php-5.1.4/ext/gd/libgd/gd_gif_out.c	2006-03-13 22:56:38.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/gd/libgd/gd_gif_out.c	2006-09-05 20:31:02.000000000 +0200
@@ -265,9 +265,11 @@
         int InitCodeSize;
         int i;
 	GifCtx ctx;
+	
+	memset(&ctx, 0, sizeof(ctx));
         ctx.Interlace = GInterlace;
 	ctx.in_count = 1;
-	memset(&ctx, 0, sizeof(ctx));
+
         ColorMapSize = 1 << BitsPerPixel;
 
         RWidth = ctx.Width = GWidth;
diff -Nura php-5.1.4/ext/gd/tests/bug37346.gif hardening-patch-5.1.4-0.4.15/ext/gd/tests/bug37346.gif
--- php-5.1.4/ext/gd/tests/bug37346.gif	1970-01-01 01:00:00.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/gd/tests/bug37346.gif	2006-09-05 20:31:02.000000000 +0200
@@ -0,0 +1,4 @@
+GIF89a
+<
+
+����, �Ҷ�˵���˲�����
\ Kein Zeilenumbruch am Dateiende.
diff -Nura php-5.1.4/ext/gd/tests/bug37346.phpt hardening-patch-5.1.4-0.4.15/ext/gd/tests/bug37346.phpt
--- php-5.1.4/ext/gd/tests/bug37346.phpt	1970-01-01 01:00:00.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/gd/tests/bug37346.phpt	2006-09-05 20:31:02.000000000 +0200
@@ -0,0 +1,13 @@
+--TEST--
+Bug #37346 (gdimagecreatefromgif, bad colormap)
+--SKIPIF--
+<?php 
+	if (!extension_loaded('gd')) die("skip gd extension not available\n"); 
+	if (!GD_BUNDLED) die('skip external GD libraries always fail');
+?>
+--FILE--
+<?php
+$im = imagecreatefromgif(dirname(__FILE__) . '/bug37346.gif');
+?>
+--EXPECTF--
+Warning: imagecreatefromgif(): '%sbug37346.gif' is not a valid GIF file in %sbug37346.php on line %d
diff -Nura php-5.1.4/ext/gd/tests/bug37360.gif hardening-patch-5.1.4-0.4.15/ext/gd/tests/bug37360.gif
--- php-5.1.4/ext/gd/tests/bug37360.gif	1970-01-01 01:00:00.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/gd/tests/bug37360.gif	2006-09-05 20:31:02.000000000 +0200
@@ -0,0 +1,469 @@
+GIF89a�K�� ���������+w���������ױ��⾱������c�����������Bs������������������ȼ���Ծ������������Ǽ�����䒐����������j��2��ȴ�ħ��¹������������ȭ�������������O��Is���Ŧ��������*�ƶ�ï��������;k���-f����������������ݺ���޲�������ڛ�������વ���󘞳������0�ս����������Ӳ����Xix���Q������վ��t�����������ڷ����0�Æ������ʼ����������õ����������˽���ֵ������������Ƴ�������������������ĝ�������������˳�����$Qx,\�����������ƹ���������������4�����������-������4�����2����󶹾������$m������✆~������������������������%}�ѹ�������������a����9�˰���������������ȷ������ϯ�������ش����2�ƹ�������|�������Ƹ2��5�Є��=��������1=H������C����ן��z�����]����߬�Έ��5�������������������������������������������4�����������/������������ᒧ����?�����������������6�ջ�����������������!�NETSCAPE2.1   !�	 � ,    ���� � �	H����*\Ȱ�Ç#J�H��ŋ3j�ȱ�Ǐ C�I��ɓ(S�\ɲ�˗0cʜI��͛8s��ɳ�ϟ@�
+J��ѣH�*]ʴ�ӧP�J�J��իX�j�ʵ�ׯ`ÊK��ٳhӪ]˶�۷p�ʝK��ݻx���˷�߿�n����ÈN̸��ǐ#K�L���˘3k�̹��ϠC�M���ӨS�^ͺ��װc˞M���۸s��ͻ�����N����ȓ+_μ���УK�N����سk�ν����Ë�O�����ӫ_Ͼ�����˟O��������Ͽ��� ��2�j(�"��x�0� ��0�(xLc�:Ԓ`�}�>@�C&���	;e��	�X�4�,�]��*:��N�$)$	�H,��2�K�h���a�1i��<��H����r�1�4�<C�WZY0�x��x	&\�R<U�9�%�<��'n��=s��J*�<#�,8 �g�� �Ŗ[
+'��u/ <cN2$��A�#E���Y�+���J �Q���+ЌJ�%�H�*�=TCh�e-qMa�Բ�8�:� R �7 [���5���&,�ji�J�X���	�'[�
+���֫־�#4�
+	I��j9��`]�Sʢ��>�"���0�7 w�ư�R��#��iަZ�sŀ�֢�3�\����d�o�!k�J?H���#�f�q���n�Ĭ<��� 4���r�e0�m5�
+]�:<R��le���R[u�8/ ��j�穻RK�U}�2�<4��;@DJ�̐eH�(	k
+ٲ�0�=�4�$s44:\r�'|_2�'�I��������S͡
+�$(3�%�x"�%e2@�}{ι���߾@�T/H!4E�R����0�*�I��?HA{��:<��Q�1����)�lO� ?���!��H�����%�O�`>��޲'(��O"#`�`a��h ��� ؑ��iio��SD1 G��|2��^$f`��fP)$+�P�>0"�eH�����He2��瑀&����$@�p ~�B5�!U�@
+�0A�W���_3l�TQ$��`�� ��` ��.�P���~`�QȠ�(�!�4�id�){��`!3��?0�
+!t!6(�؀ �@`�&E��1�S(��z0��Q)����dЉg,����A��>��,l� E�%D�@�cV8�R& �6q	��A���0XC�B, lP���B0�y|�k�P�R��C8�`Nx�?�`�H �PA�a�JP�Y'�i�����Թ�R�#P��B:␋fP�  >c0-B�e��,8��WE�+d0�l���E(�;$�
+Hl��?Xc��'B�E0�HY�(�X�5�@3p�O	H�
+H.ـ�F��H]�^0�D�iH�	2JU�jU��A�.ѱ�1�K����g�@*��
+ڊ�? @�����Tb~xM�7� �I8A��&�Q��a�� ��CA�0�H�G�� ��� @g�Z����0@ q��T�L��)�p��&����m�p�Z6a�x��2�&�b�  �Y�6@8�.D����U��z���Y�(ߨ0a��A��N PЁ����a�-�ʔ�J�a�&�� @8`�p �y���\L��H�P�
+#t鐀�17�B �@9%yS�4���]!&b�� Ax�)@��D�Bm�*�;� g����ۀ5��=�I* �g !	�����r��
+@X���f	X#��B�q�$4�h3��`�f��-���ٶ5��հ� 7�h�1��vP�	� � �p�	��
+�8f��� n3N�@:�`.�R�L�C�����;P5� ���O`��N��&��G�:% ��3�� F8�֙6��L�r��'��`�A�b��L_����ǳU��$��׾6�[��f{��HCw�f���o�m�g�@��G9�Q
+k��d8$n�r8 k-���k��f�H�<�i�#��B�Pk@��ޒ�����y���@-�*�T��*��7Ђ¨��fh�NO���50�u���Ճ�� �o$���8�k] x��.���u�{���y��KU:�r�����00�c�{vz9\��ks�9�9�+��6Խ�V(3Đ��8��J \
+9X����l�Cd�z��) �À�/@�qy�'�� �M��D�AW�.}K� TP���!������=�i�
+�m�9���1��k� 3� ��!��CmMp E$ڰ"0�n D��p���P�7k���uk�v� \��g~f&x��i+�p�p��� �`RF �� WPk�	��`.<@�UQgi'k�vm݀L�X��l'�@w���sm� V`P
+J�J(�
+�Tc L0X@���\4��F,�o�FT���B���@0��g��u� S���0[ EP���4�h��r6�Abd@,�F��o0u�@��FT 
+}�m0py@,��qm���������Mg� &P
+�@�k�`H,-P��H�l�viP{�V
+m�kP{1׌A"����'	D�q�V !�O0�J
+p�YW� �@T� �Xt��c��wv����Bum�9 y�Qw�N�ۀ���v̠	��m�p���P���\�R� �%�������d�(ʈg.��009�sT����Z +�TN 5�����gs`6���(��H�0���S~�
+��v��9���wp��z�3�)����0pm�����u��N@v����Z� Dp@P�@QّS�w��f�W���� 
+�В-0�����VH�l��Ќ4�9P ���R�_N�M~ 9wyIV��������� mu���6r 5@
+-���n�t��q�p��FS���)�@�p 
+ ���i~000��8�P yPW�MZ�
+9~Q�y@~�r�
+S � �a�p���p��� 	��fy
+���'0�G���O _���h������ޠ5{֒ 0�iQ��S�]&{��	9�k�o�X{?����]0	��5Yw}X�T�	�PL��0�C��0s�L�yp@t�� X��t3����Fp��0k�كj؅=Pq� ���G)����i��`�pLP �h~� �ΐk�>x�-�D@k)��"
+3ii��Ѐj؉=����P���P�f~�����2(� �Y"0-p����T�В����	��`q��Ȗ��ډ�Iu�-  )����!zy@�S� 
+�i����  ���@oЃް~��Ĳ� uT�
+V-�p��@�0�Z ��v���|� pT0p�'	��Tؑ`� |��eXS�{����4w�@i�2܀0n \�װ������	k Ay1  �Q���U�D��T��`�	1�Q����T � ���>X ��ei.i��G��x�tA����o�������pQ�w� �� ��	S�~ ���O�t*z`
+逕E�pP `o0s�8�
+�R���`}�I�߰x`q�։�����Z	�gm ���{� �wP�	��UP�� 
+��Yh�����P��I.����{�r���@
+)Ug6*	���Y����������qV�4� UjfK��0��R	�J�	�@�P� �Er0	�a#���.����h؟���#AV��.����p�y@�@���LZp>����I� }H������a
+����� 	��@��@�@�Nw����wJ(G,�P n���~��ǋ0�
+Q�m���
+����LX@D���@� ��5`}z �X�M��������˖�G0,4q����������Z���@�Q����f��>h�)@L	�`�@g{
+�	��W���&� @��ˈ�0 7� ���\x�B���.@�<�H ����m��J�f�0�`oo�SC M��p���f����;uʤp�����,y�
+��� �О�|~xhƌ��p=�i
+̌O��q@��t֢���	�L:��-Pg��<H�z�o���H�����\m�`���]���D��P�-ɿZ
+77AP��~��ݰ����p���1Pfu��"jy�j��0��`0[ ��q �m�К��R����9����� �{�; ��F�q�`tݲ�:���$�`	�pY�5�
+ג5lmn�Bs�`-;����׀]��=� �ZĂ�VP�"jL0����t��]C0  0�-Lq��--��  �����0��G>������Z��� ���pH�����Q� �c�A6J���������7B���B�^|m0p��Js�+����iP�� Dp�u� �J0?d���lc��q�-骵��LP �
+0u6m�P���� ����݀��P o H ���少QTpfu����`�̠�P�<�`��r�П���T�ͅ��� �g4�� �� �Lyp��������X��]n�>0����q�l��)� 0A��gKЅ9�v���p~No
+P���i�=�O �m���M�!U`l�h�����}��P �+/<�〒�@qk ~z�oGP
+Ԫꃞ�p��s�Q����������E l`Z:����ȝ���}�K�f�V[�{��������·�=�0P��	�i��`���YW�	�h-k���)�s�*	.��ٓkȸ.@.�p�	b�d��J��L�"]����UXr��3�zmr��7��[L��@��Yk|m^�x@�����:g��0�y�0����*�]�0>_p-��C?�F� F � G�v.���6L��	MKLp�m~VP �����X�� �p�Y\�A�9�C�oE?'�Pے`�x�	�}~{�\��M���`������	��-�
+`�%`�����՛� �7btπ���\ymUk��M����JM����߲N�hg`-}�n-�ʝ����$<�	������vi��r��K�x�R��A�	&�II�QL�W�_
+4�cB�E�!E��v��I�R8cٲ%� AFΤY��M�9u�����O�A�~��L��R4�8�C7g�6���d�{B+�9"��B�a۴��0b7BFH�Q_���y��,+]��IK�_��&\�pE2F�q�Be�n4�,-�a�7
+���h�װ�:@�,DMԄd�Vc�1U���f���X��us�a���'N��,T��堲�,Ki�܁�`$M����ݻ$+�E���t�'���좢�F8�%���7")R0)�{oc�p@4�"#�x�g9��8�a��(Xʅ5�l�;rX�
+�X��8���[H}��H�O(b�=��"�����.ܜ�! -�¹���@$�Trɜ�	�$R���A��*�0��^�Ă��"�VY�G�!�$q`��ʒ����pMD�����6�(DD-8��*N ���IFut�8�"�n(��g�ـ���� ,�� � ��y�A�)��
+RD���� V	1�z�1"�� ��G��ab� �뭀:��Zl�`�qX�&��2]Ԩ6঑�$�Tp�:Zm��@b�r�+$�w�C!�qf�#y4j`b���?m+G��� �ł���c�g���gTrƅ t�A\`� 
+��˰*�x�5y]��Tc�;��`� 1xa��	�$��KBY������R��A�k�5�q�iLaz*���7��h�-�W@y�W�3|�V��)qF���G۞q��޸�`)�
+$l�;G�L���r=��H� ��f�θۆ ��!#y�����& �6j���"�%x��
+J馱�<�~��x aA�:���(\Fʯ�N�sxWm��p��"�f����V��C�  �mr廁�<��#`��P( QXJ7.�6g4�8N  �<��-x�ԧ�:�PC H5�`�� @`�i�$����A@��}�Ü�BY�� � l	$�,�4���U��3�A�-E  M�q�4`�������d����� ��xǐ� r=�B):�NР%H�p����k���"��1�&h�$�<4\�P(�V P���rT�h ><��3<I~�24Ȉ��@�ԇ���U"8 (�!<a�W��L:�DX�"���L��$���K�� "���Pe7H62Q���� �d@�����KB��ts�.((1$��bKl`��	�I���B� � ����M�z��x�7�)
+!mLD`$ibnn�/��G*���$,�0$�,�g�@iIP� Z �^���c���zs����aq�,���B@�<�5�.����D����
+�%U\�!�-j[���?�BL耕\��# �@<��e!�!���t�	;�
+5�?��IY)�Z��8�V�2��@E���p�y��zh ���
+��	Lq;�2��;9�
+��'�<���sAO7�i��
+'�lq�<à:#X4�@lvQ��c� O�� �0B��Ĵ@�F0 `����W����Iܘa�T����Wa5���nuE������
+�aZ�[�,�*kPh���C�]�o��c��1��5�#!]}C��KC
+,,ݙ@�:�${�g�TbW*�RQ
+�exJL�p���Z����@�B��")i�
+��Rݱ ;�  PL���z��M#
+@N+q��
+�hd8�E�MH�� ��@�h�[T��͓E��N�a/l98-��m���Z�92gL�$].S��n�c�b!��gU�$8'; s����NU2+�[�gZ�7y���)E���`����>��	�-pk��(�-ե̚D�������Hx�\f�c�@'��$�-P��<�`�l���~�+{��P�9`��zc�n�" ���\��Na�ײӻ� `���nԃ�mTg��И�S�Z��F0��ӗ`�ǕB��:q	xa���CN�o؂ޕ�K)�>��7X��3��;�jԦ�@l�[�`�H̟�!���ْ&�@6gj�#v���=]�N�C+)�qt���F�n���r����c���=}�2�_Zä�j�p��Q�{cSyH�"N�-�*@'Hv����G�Q���N��@%`|��ы`�/y/)� ���5,>[� �,� q�$b�7��7^���G��K�po4F����+p<5�;�k�t��I\���W�Z�
+�?*	[ָi/l�0��( )�_\�:7
+ł�@H?l��?z�wB?�y�Y؁��p:��-���83NH"�?���  .��p��@��KP� ��K$Wa���X� h�7�0�������@;z#`�.� "� ��[  	P��&V��. �gP�����-� 7hB 4�g؁
+���K.��q	N@��I��):X-�y�l��
+X��� & =�h�#� 3<C�9�룚
+��� 
+�>�9;� �B����a�
+#�(GÂ��&ɣ����(XDF�� �@	{ �l*x3��D(E���q�<B2+�P�Sd�({EʟY|  ��H�+�<+ J /�"E�.E(�������Bɰި��I�sF � �;��g���2+�2��PD�DٙWdpê�8�i	�[�6k9x�!!�?5 "�h��� P�>p<� �Z���{iC	+h:ul�( <�Hz`?7b�g�4��Hf��y2��D�-L�e��5��I�1�t��Y[(H��    +
+J`M�g��y�+�����J#J���{� w@	�i�p�?�:2�(�+&:�ʏ����ASL+�и0��m[˰A��,np� � [�H;�(��F�ˮl��1�Z�DFޠ��r�ld̯�����a`��Q�g��K���!�jd�jD�|���6��TM�9�Y [ .8�Ax� �J���M�+!��`#�M��ޘ�;c	n�K�Ė�:��������N�a�P4��B�r��%hؚ��)NX��Lп�/�:���y<	��0��( ?�0�E�P�@����R5�%|D����l�@�� ��PE�oл��٘� ��	(�b�#X(���݀��Q$ŉ>�'`ҝ+�˧����	 ��(��HR.�������!�i� g�5�8��qr*�(�.��
+���,���{��g�0
+t���-U�&h�9MRfH �s��Ð�œ�$���i�(P�DITN�P0 `�9 >��V��r��+��|�	H�T������$F�1�{��X��	�PCl˄U$E��2?��B.�0|�-Խ�#8"�hJb�P���(�Ι�)�X3U3���(P���V�n�4 4 ��"�rHQɷ�����wTW�]h�<�[- �0�` �ʩ�#x*VMO�i���������s(���+e�p� �ЉENT����G�#w@H�������ڀ �֓eL�+��L�9	*�6��Y(N���ҝUО5�18 �I���L�6���o0��xը�o85��_�6��P0�+,� @X)�F�/l�#�=���3��`���]h���R�("�|m�F�R� 9\x� �9���1��
+x̛��A�Y���\F,�(���]�]PV�!��6hɦ)� ��S��*��30؝"��B���6�5��p��eL�!@��٢��$�o�����\��^g�;��ey����F����ȝ�`_�l8���P��]2�]���?8���T'���*`��k&MJ^�m���]�]Z� ~`���w���^�l|饊�j�@Tf< �;�E ����	�]��X�p��ۨ��n=d&=�>��a%��^�Z(��#�51��w)�1h�=R���ɡ��� ���"��\h�q-;���ĨXJ�`�ec��," �i��% ��d�5؞�(���c��\`���-/X�k�1�-M
+XQ I�>�S 5�µ���^�|tae����Q�/�;Va^0P�#F;	����[,(�Z6:t�;���]���!�T���7"i�>�"�vuWB�bR"#P<n���Xel62T�mV �م��(�C��6��{���t���2: ��k��?)_ސ?G�g�IeF�(��R�$�U��@c	2Y���8�ڮ��Tځ�1�c�呉�ֵ�v�!�P(�(hϑG��(����.�>J_�]hY�$�E>��	�Hj8�a��a8 �ţpȃA؀�jh�..Sx㷸8`�e�W^�s5T�k���+8�;��
+f�@��1T1�kÄ^L�+_o�-�%s��c�6.�:��S*P�<f
+x�����6.S7�N֠PX�������̊ix���&d�j|v��Ag��o������$�!�S� M��<,���(!H�>�p�U��" �ko��n�����n���ղ����>�hm�* �0� `l�*�쌃�ˍ���;/;���(#`�j�� �/L�	�  ���&!���d�<�#~��z=�S@�䞞C`������� �����vq�f�Vx#*e�n# ��������
+ă["Wn '�PX�ݖ�7�)�mf ҽ��RP�+�l!Ѐ�����n��B��Z6�,>!�6ws��5l�9os:�aЖ@�=� �$/�t���h��;tD?�g�۽pG=t�5�0%�t�n���tN��{�u�WG��}���WT�f7��V?�WW�8ė��Z�f`�\��]��g���`��^�����c�d0Č��Jo��]� 0��vj��8h�l��m��gxɼ��p�d7X�<`s?w6����/pw�l��Rz��H� c��,��Eplx�/x�?x�Ox�_x�ox� !�	 � ,    ���� � �	H����*\Ȱ�Ç#J�H��ŋ3j�ȱ�Ǐ C�I��ɓ(S�\ɲ�˗0cʜI��͛8s��ɳ�ϟ@�
+J��ѣH�*]ʴ�ӧP�J�J��իX�j�ʵ�ׯ`ÊK��ٳhӪ]˶�۷p�ʝK��ݻx���˷�߿�L���È>K̸��ǐ#K�L���˘3k�̹��ϠC�M���ӨS�^ͺ��װc˞M���۸s��ͻ�����N����ȓ+_μ���УK�N����سk�ν����Ë�O�����ӫ_Ͼ�����˟O��������Ͽ��� (���=3�����(x���:ࡃ+K���L3�R�P8p(Ň� ޵<sP	�� ㌙�xIR���7�(�,�?>ܰ ;3&�d&Rl��P򢆏>�P�I$A�7*=sCK,���dڈ0N>���P�S<<#�?<�(����P&�� �'���fs��&N-!�s�`D\��O���J^�d��
+Ϣ6}# ��>�Q�GK��c�,�,��e�j�L@*MB���A0������3�$#���&	���(�����vD�r�J Ϙ#�3� m��Z���d� <��r�3�$�L��7���L!Q ��Ȣ�$ S���P͔���K�����`)t� j@�M�m^t�!���'�IB�k��t�B$�u-KD
+XL�	kDq�4�В ��Y�77@:�%8@#�7nj�/p�m/B�\��J
+���3��1�`�ݼm�ӏZ�I�DV���+P��2B��HL1Vq$�<T�jtϜ��3��(��	�s�w� ,'*\PaD�L�h�:��0��4��5_u2�������# nw�D�x�yps�pz9�>�������?�
+;�Ì� ���U T�N�r�`�е@�s���S@���
+�FP�y��$J&�<PAp|��q<�H����$�/b��S�ыS��Q��Ct�@��q�HA7(�otc�П(0Xh�����ԡ!y����Gd���0`�� A*����N�$d�P�s�Q����XC8�A*`��a���-DA.���� gpc�!A^'Rc�PF�ֵ5e���ڂ��� ���r��夆�o9�`���8�`�|#L�Bgxcz�cD#����%- �`BJ��d<c��	� ���pW�z�$��B¾�&D�NH�rv�����p��r�	g��
+�l�7ꘃ� �I+��x� � ,9�����Ĕ�' :�i�lTL����{0��p#81ʉ�#� H�����@��1��lr��V���EC�7;�@� {��+dQOȨ�P�5�FEǌ��j}Iٖ 
+)i�'0��>�_Bd���9F�T�Bް@�R��.��8�X�#�-�#ri�W@�'��0X�HFF�QQˠT�ԨJ�Ĵ�8��<�[D�$эRh! f���0�m��@��<c35'��J��9�H ���@��O�v V���f�K4U
+5�� �v��H]���!��PV<
+�@�T-���@nc�4F`�	|CB9 �r�9ߠ q�i[�5��U)�ʹ�A���7��D��mM{�*$� �F�A.��At����� ���F��E!df(C��(-����%��h�R�m �r�W�oA���Z�'[K����0D+��&��0��L'� ,�~x8�����i$`�8�*f0�� ���Af����΂���Դ�Z�UH�u^�Q�H�K���ZPX��=� Z ��_
+�4��W�Q�t�J�nt����B\�*�ޤ�!�W@F�;d@ �b 4h0e[
+�0�V��T�0D�z�CT�
+�{�� D!�^�HOz0�Π�'���N���0k���>���v�h�&^xF�e�=�!�*Hc2�P3�b#�A5� ���vU�����W���� Р�����'ZN���r�TU�R��r�qC9]�̕s4�A�k jUS`�w�Z����! �X04� [ˈI���4� zH@�>�	��6� EX�>�"�`
+�>TM.�
+�\�,OQJX���=��V�� 1 ��03��9N� ���7����Å���hi uN`�m�`B�iF���wS���aP��%0���m;���=�X'(�߅�����>�9�ǳ�b�r�ƾA�F���c�\�pִ�p�7@�nР����)�N�'�	�5�%@� �{�G %Psw&p p �0|0qW�/7�I�w5y�p9�7�%}p���?���6�2P�F�� 2�?�@o�k0Sy��n�#Z��S j�BU� p�62�	[ /  pv`v�� z��p���E�բ>5�q� ,�2��=�"�h#���Z���*o���p��jk�_ΰC�?Q��~�u7����P���T�WX@�0��� -�Y�g�{C��=@	�`& |"��303=^1�-����� u9@��u(RTP��k�mD,�����Q�����F�6C9@\��oL�y�?�
+v�����N0��?� �
+Y�v �{���H	Y���&P� I��q�*pQ@�ݤ��(n��J������oDc�xV�n�UCDw�W
+G�B��1��9J��P -�N+�
+3� f`��_0* ��Y�(h0w"P%	�t(���" �P^����`��j�X�=����j�p)D��)�@�߰��V9��e4'@�N��Jhty�4�<��DP�)@Dp��T0	#P��*�h@  �0wl���	�Pe8�s��(I��(q�Rmd=cyx�(n���tK���p�	!�߰u������B8p�<%eN4 'H\tT�}��> ��\�`@ � ���h�vl�1ղ&��@@��($���00Kd��L �)Z�ӛްO�sm�nq������s�V�&R��n������ey.4�`W��0��  `G)�0�"`_pk����2�h�pdp6��(�p�@�2�vxT��pR
+��Q@@߀�D�(��B�@z��j4�d�'Rk�~��E����ޔ�h��)Z����
+��d� �	� ,p h�o�A�R��� Z
+���(  8y7�W�)@y=&O�(}�ť/ 1D�P���E�B0@�Ry9ɣR�	�G�7.pe�����d� @(������I *�	�p��" ]0:�3�8x��cU�,�*H�p�gNH�М��VV�7t�gdWV��?�����.��Z[��1c*s�@��N�J�f�.�`��L�y��N0�v`i��
+� ��c�eG M L^�+{g�iP�����u�H��uH�BL@"�h�f�"��i!�t�RKsڴ��R�c��R��p����V�'L��N�?C�����P�9�Y;��vGv�G �`�g[�Sc�P��-�Ёs.��]*OJ��T�t�7Z9�^�6V`/�	���؛�G��g5��G �
+�p��㨰�c�@C��@x��  I` � {*Pp 0�{֐�P|O�(
+�ֆup4��E��	3�� �z{x�����ݠc%�3��K���N8��eF�x��3C��z�d#���R��~L 
+�T��� ^���^p �8w`��k*��� �����Pl8,�@��V nʤ�B@�h���ɫ�zx�ԩ 	�{j��#�RZ�N.G���&s3�o�
+ky�z  }yF�;R���s*1�5�� P��,�p7��f�3�g�z�rVRA`����z�4�t���x�� s�jL!|�9��Q �ؤ.��Cs��R����p�z�-�o�yЭx��4 �Ј��jtΐ 
+�   � �.js�0j`0?{3�P���Mu�C0��1t�h����8�~��3�z���l�Dk��n�؁9R,e���58J.��~k�x�?p)�X��B '� �PVpv@ @lʯ� ְ�@A� 
+}�B��R	u�9PwT �d�/�Q���coI��h�V Üч���	e���a�� n�[����/�����y���َ�o G�w`j?vJ`	ϐUp��^�  @ ��l\  ��-����u��2Hƻ,���C�����Xp}wk�Lз���� 2$��!�Q�,nG�d��@8��CX�q�[����T n�� ���X�����D �n ������ �L�p��*�)�	v H���������J�c�Č�4[ �zxݐ�n� �ϰ�6һ��������ӧ�@���j����_��M5����;�[b����  a��iv  ���0%�	�P�`iDZ`J��cu8�J��*nk��=vR���.7�f������s����Jl��S��ܹs�j`Jy04`�2 
+FD���6��npOW F����Ump}���'��Т���QLc `�����@���L�3���A8�cv��m���/Lol���g�� ��v�qI��st@�1T����i�n�y�����߀4P����|
+�P]���� �ú����P��t� 6@@�G�⺽�,��pX�l~��������*ZV&'ԋ����6gU Q��V�"��#@q��P
+� P�ϰ�q�UPh3�� �pN}���� fu�����kpGڥ��$(�@xn�������5Pו��IZ�g�4���I�<��͍�hקNs,u4 0C �$ 3d�mC��� ���E`��@���00�f.R�&��4�vu���5��"U���6��n�Ȩ�_�W��E�5�{��y8��?�pˁ1�o��@p*���������/� ~�VJ�[Z�4�@CT�Ry�~ }=��ۦ!��p�\ ��Svh�IZ~�h�G'm 4LP����:G�dg�.�F������������]�.�p��#��[4�~�YTлi-RH
+?�RUV,��k���B���SvD�10Pi=Z@P�!��VU_;T��"n�Fn<K�Bq��a
+� �V�}`���}� "��%Ι3,Ψ��-�A�XԠ��!�FHAX�!D��|����Ń�.rS
+�A�]x����@BĲ��Νμ�ɑ"�;-�aI��J�Q�N�Z��U�Y�n����W�a��H�4O&Qjz�A�b�u� ��3b�F�g��_���t  ��,V@��Ev`�@%"1jt�#�` ��S?�wJ��%�nZ���!@�g�04<���e7
+�Q�٭dàX8�(P�`��]`�l�Y,9������w���B�.�,D9\���t�AL/z&�j5����ʺ� �#�$�CL8��3`l�J()�������R����vb$����% n@ra�	�������:�(�R��g��``	��
+耓�(8�4gl��Ϩ��>&�t�I'��n	pv�¥�(���D��(��@?����:4�G�V���L���h#@�]�H-��hf�h
+��h�p.j���٢���A�醊@��p�(G�`�(���C=x����
+����B(R���g�8����uW^{���o�!�nh�$�6��p��"�s�� &(s�	�y�� ��@�PPE\�|�B�n0�1!,`x�
+ Ҹ8�ܜ�dɨ�A�!N.�/�o�p� �*SM��7H=���g�wj�-��1
+�h�b۳��W�c��� yƊ�$�������+�@W=���k�i��mk�I\a꩟�����,�*�%����(x	f *7�
+��|UڨH��4�րg���gF$�Z�1��� ˝¡�eS����9� l�{f�C}�C�`�ALF+�\��-�nr1*@d2��D[���$ %����!�U��U	��4��8�<�+T�y�g��`�P���
+ %ot*	����z&�8Ƀ�����m�`X!*Z0p��]e$
+0�
+B�3p�nt@q�c`a��"�'�D�6V�A�9� ���`BQ8Gʴ;m�#0�iB����H�1t@ 4!"&tHA74p��m@P�@ ��
+����
+�e�5�o*ߨCܬ⏲�s�8P\`EQ�H����n�dMYB�� R��s`�(h�9K�``A��!���&���o��a�
+(`�����Ӗ$�#	*��	(�����0���]ꀁ�������A
+0�j��=hq�8\�Bd�� �*�X��B˻�G�	!(�#4'H@����p���&wZ��g��GXfH�- ᐈ���3 iNkC*��g���B 4�� �Ѓ
+�Հ? `
+��0eD���|f-�H�8h�I���O\@�݃v�)�Q��H�ܰYn�� ��ݤiM�����4�B	�r���J |h@��K��
+�3�@
+D�\ �L� ���
+���=. �<��Xg�y� Ђ* 0��l�Ʃjrq�3� �%��5X�M���|ÚK �h�,&P&(뮪 �D��H�R��b a�'��fD �9�p�oT�*3r@֪�8 aB}��3"�u���3����x#2lqij�gHpcT����eID����& ]�b��٧���j�
+(QN��Yi�U^��� �$E#���CT!�9��t���"�,@�A�(�'�ݕ)0!� ��d��@񆗸��V���]h�_�X�.�@l"g D)���
+��<ވBX;b�J�"�y����Zh�7��N�A�*��A7*|-HMxU�TS�3��9&�$���g�*0�J�A ��r�{%p�"�� ��4�W���l��L���P�U���ƣ!ܼ'"�n��36p���� ��g܁�=Z�N
+j�3:�D4���/k	s����"�)?ATy�h�$�+�x�Wy�7R�� ��>��=u*��Tb���&��9�=�܄}ŌoH@�@�"�Pk����U�LQS� �A��Lm^/�	�@co����<���8����[�a��>�}���0���3�����P@�n?���ۍ��R}��(3�"p�ƣ�X��=�G�Auz���'�V�a��o��:!>$`i).���
+Z�u�>�%�A�S &b@��E�\�1�`��!��� ��{���O�1
+�Q��&�%����$��ut כ�&�`H�`�
+|�Ɛ�?C �`p�Q��<
+H�Yl0�m�Ǿ�ϐ3BJq��tc�3���H���:��4n�~��>B����*���{A�wYD� ��
+|D5{���ﵗHT���C	XA��+DbO����"` �����ƚSx�[�!XT�=m��C���H+��[	��%H?�S�9�� �
+���K� ���z/;��0�� Ϫ�K�<ʀPJ�"H �
+f��(�C��o��Cx6�؀
+B��x�
+*��H����q��r��'�.
+c�u�$��I8�g8;��P;�B�X�>	)��C�p595ZQ.�ȁe����=8�7��K�Y*`pb(��h�r�ŀ���C���Q�8� !�*�	X� P5�{��5��ꛙ	�,Gd�X���ϲ���x0%�)8D��TI���ړ
+��i�i���9D�YB
+��^��7P�]L�F|�3��&P�a�c\�����	�03�'���a
+(����G��� Hg(�5�0�R`HG�����	������+����&3 ���	<c�I.�<J:�`���	r�h��C��&(%���5p��LlEH��fZY���pI7k�#�ؠ�HA�Q���rKuT<�Q�_X'='@F�낐|��F@!2T�-�D�/��18S�*�o(�\( ]T"�*��T�rh���� >��1���R�m1�Y���#0ȃ������n�#H�������XP��$KFT��z�W��*�H�z�1�Đ<� MmI�m���� iSM � �'�9�F���uC��ӂsX���ͳ���P�!h �3ΐI�QaH�����[���
+��!�<X��Z�:� ;%�Ō�H"�ۜ��01pO����� �.�sX1�X��?��&#@$ 	F@�hq �@7�;���K��'����T � f��7�#m�Y�����	�{<њzE�T	7H�:�D�P����tD+(���,N Nd<��I(��p�[8�j<�+) ��Қ�P0gp̫� X-�J��H0O�X�\ʨ �.P�;�!�t)m�� �ɔXIM;�&��gs�:�#5�"��r�%�'(T�l�NRϨ��Q4�=�NP�;TH��-���T�"a�H�:R�A(Uut -P�'�g0U �A%h�uz�pK_x7�|�z�$�&	����;���b�+zX�ܧ���0-����
+��.0�Š�1�K��g �*�O�ȹ�2v�#�������t�<`�]t �����0C����E˚"�O�|�C`���5( ���m�C�B�ä�@*S�H�A�BC~Fp�;Y�q���1f` �� ��T�)�Eg�;5�=� 
+�Y(+9��<�
+T8���Z9�1��CH� 8��Z:�IY�uݦg�*�Z����W% $�
+1%�2y��0 ��1B� )�e [���`�n�`�u�6pUl�� ��*�+�A�+{ �A�Apd���ه�������>(�ў�2D�\�����U�D�S�R��*ȃC���3ܥZfh��(�X�:�1@ G`t��-�'`����0P���P(�.���,��ޙA�5��3.L� :�[(��M+Ї��,����mHS(�Y����l�_���o2�m����.^���	�,A�Ǫ�4pT�2��g��pt��\�g� ʐ�� �8�i�.����M �H(��R"�-ġ���a;=�f�
+�3pN��2v�"�.��HU8�õ�� FC�"(%(���#� �bm<��e�hX(pE��K� * ����ŵ�`��{�dLF<�L(5���	�.d���Y�c�](�t  �.(�5�]p�)xe8�  ��;�=Qwh��p�A��@F�?� -v��) �T y �"�f��c=����D����ӥ4��0eh�T1h^ �f`Z�DH�o��1p��%�(g<VYՄ�M8���Ehg;���0k6�<���H��p�y���mN�E�_~�53���Sh(�]���yhZ�hҢ|N[�g�LP��cP�?��
+��(�~]NF���/�&-��cG��g������f��i9��-g���j��0�*���gh�NƲ� W�Pez ��g 0R�|�5��KU��NPh�ye��!�����
+SH�ð``���a�����N���.g��2�_C xR��08��8�0H ��U^NH&��봾�t���(�"8��P(�8 (�됼 Z\�R���vI2����!f�<ߦ�s��I�z� ض�!�kg���n�� ή��>@��f��څ��N�p�S7�4����Uo���ե�D�[hK߆��� ���o��� �V�c�� ]Pp�F����bdW@('�@&�Ʋ-��[�g�V�+��5 ea��Hnqm��0��>� �N; I���P~��7x��r!�I�c��pæbx�& �p;u&���+��q&-���r���� 1 �V��g�4��kƠ �bѦ_胰�sm����<��^�_��ц�]HʡրR����E�*(p	� .�c027i7xn!��N�C=�pH쉞`��bPu���V��o����U&-*C��g辠��S�u ���`����vƞ_fG�*�sy�_�8�j_˖-h�lO?P(�n� zxiE��~�Jw9􇆎�o��W.�Z��ohȝ��e���K���gXv�˅��VAJCx($����~w�W�tog��[�O��V��&�˸�c� �.da���BS�z  a����b�X�!������2M(d����;��>&�:z���V (�80l"����I��=�߻Oo �8x�w�~F�A���NP�4�:���^���gȁ�Ȋ�{��c8�H�?(�Ũo���o���{�_�o8�th�����i���̏�.��>P��>�] y/�P�q
+N?����9O�)��6�C�yI9�ȷ}|�(������j�1N d�G?/���m`��v����G?��t�~ �e&Wh7��؀��':L��g�a���b}KF8����o ��
+����
+2l��!Ĉ'R�h���g89� Ɛ"G�,i�$ʔ*I�a�,�@�� 8��&Μ���⬛:�-j�(R��P��9�L I�R�C7g).<���+ذH�Ah*���1Ĳ5zHK7,Lz��k�.ޅb H�I0��+<�.I�J#,�n����-8U@GL�7Gtä[f�G�.�P (	N�a�����6���E�ܺ����)�"^��~�m�3g\�3o^�E�gEȱ�0�#y�^��=�& �����.�yr�;���H'~�����b�](�)�~
+��Ч@4� ۀSݓ�m;48a��x1�@ha�S�A#4�!��}�Sh]�G�H����8cs��"f��X�l2�A�v�_
+ f��	y�7�ǒQ�f�_��`�.�h"eJ-�AW\�Y��2Q��� ��IR/50�&�lP�r���,�V�E�Ԡ������ �k,`����sG��Z�T��y���brp)D�B*�Fe�i�!G`��:+�G������� ���+�+u��xt|*���,�͊t
+��J����,��JdJ�5��&��(��L�ڪ��"��E�y&@����{(�Ԁ�q@��{0�]�;P��0�&��0Ŵ
+ �LX ��`I�!�j
+JP�"`¨"�l��)��J���/�\g�:uF����;��2%X��ڰ��Qygeg"�',�,5�-R�ԙ"���[w}��9SW�R/�h��>�*�Ep07������dmv߅_����%fE��nψ����!ǲ�k���-M��m>zl���G��r�����X*�MG�6��:a�݉���&%;��9�|^�h�2?}[��}|��k�V�2�qEۋ������)�?�		 ����e��)R����Ǚ�
+�������0�f���D�*H�9��{-��1N����ȟG�.�M
+8� p  ��$ψC��/x���C�Z�{�R*r�C�<��:����%2��N|"�(�)R��V�"���-r��^�"�(�1���f<#Ө�5���n|#�(�9ұ�v�#��=�~�# )�A���<$"���  !�	 � ,    ���� � �	H����*\Ȱ�Ç#J�H��ŋ3j�ȱ�Ǐ C�I��ɓ(S�\ɲ�˗0cʜI��͛8s��ɳ�ϟ@�
+J��ѣH�*]ʴ�ӧP�J�J��իX�j�ʵ�ׯ`ÊK��ٳhӪ]˶�۷p�ʝK��gu��e�w�߿�L���È+^̸��ǐ#K�L���˘3k�̹��ϠC�M���ӨS�^ͺ��װc˞M���۸s��ͻ�����N����ȓ+_μ���УK�N����سk�ν����Ë�O�����ӫ_Ͼ�������� ��~����! (���_f�]>B/�`�����f�(F�Ca�Ud(�]$�·�A`���,� Hd�����7U|��!���G#�8#�B�ژ��0x�h�A���3D,�� �԰�e
+�N ��]B0�@��Dr�5�A�`1����
+4�@�3�$��;�DU$D����)8�Hp�E8)01H������ANG�@�d�$��=#~���҂��}��@�9l���bAEt�M
+���� `�˄�QE�#f��I�_t�@�]D�4��&X�
+D�B8�^�� ~,�a���C�"�x�DIH��ܵ�3)t�D��
+�\P�-G|�� ��|p�=cD�.!�$,��]H0� D80� " ����-:ރE
+X�0�WYtLt�͕T�����SJk�@
+b�T��]�����XH���� 1)��B����;�gD��8)4� $��t�EAvC�`��0�[8'9��=W����0���q�{耇{ A�7|��CG�0�Bw����7��Bo�Pyo� �p��P���2�AҒn�H��0��7�2�7�g��# �8�P��ߗ!~�c:T���0î��H),�3���������� ���iV�� .`.,��U
+:@���@� @�0��@.q	��%,�	�'U�`O�G���5�cϋX#n��ET`R���ƍFLlu�`m���JX��X
+���s�� ���e�Z`©(��H� �8��x�l�[؂!F��@�ԪaĊ��oW�(�* ��̀�(��2T�B��3���x ���ȴ<h�qi`D��(���5�҄�@F�Ѓ<���R��G5I2X� ":�G@��4��P8T�I�y�-0�ĸ!oW9`B�ҥ����F hдx-� ���	h�+�8 Xx����(���ȗ�Pi��Ҋ��F�U����1�r�J��ԍ� I�aaT�34	�FP  Y�dҺ��Py���� �5dJ�*�8O5^B
+�̧N]a��Q������q#�.��U-�uÈ���m���\I�G �P,6u��,@�'Ah��y����:,�
+�x?H��д�&D�ި�[�`D�� �T�1� Y]�4����3:"�>�a���lZ@�o�Z�fĺ�mZ��BW���� �����S�"	�H�9t�~��j�� �j��`(��@�
+Џ.���� @/,\����庑
+,��@���E�@��@�j����Қ��a��%�4qQ�#��	��>��J� IHRX}.t��T���8� жP4"�T_�fܥ{���`pV`M�_D-k7y�������d�h5�*` �$n���=�A�@�G5���� 8vA*��������#�B��)��z��r���r����:#��-����u�Q�Bq����g�a9�8���I�P3D���V���[)�6"�Iఈ��`#^M��`6�@����Ÿ�u-��(D�A��РW���X4
+�ZK%�'�HB2YG4,P��2#P
+t�O�L�( �B��I�ڄ�U��c��s��mgp���u7޻X��RJsF�r�� l�{����W$�����^܃��& H]�֔o� ������p����WIi~�:�qX��j����4�sy1 ��͉����d�>+� ��� R�8q���p�EN�!ca�Q�͡��F���f�AQ �{�a����B��3B��ނԈ�>W��,oν:'敂W
+$|S:�sa5���A�:8��O	|:�&�ڗ�ņ�F�q����rP �֙ ��s�kZ��:K��g�[���b�`�1�a���.����5x���r����A�"+7�F����6y���Dm-ac"O}�@
+\�P/Y��чy	݀lKpaJ�a�H�,��s�"H�#,�u�y�cͲ�)@,V���� 
+�0u�}$P�}3PG3Q"�5�pc�~��Z�F�:��0�p��D�pp�A�+�Bk�zlB��TR=�Zk@V�t%�p�/T�zX���x���� � U\*�B��:U0-�Y��7�� �~.�GL�U�X��~��@��_q7�pv74�RV��1YFT��/4 k��m��Z nZ���&��� � R�}�P�6�}�i1Q��6�z-X�ߦʷGt�3�w��Sa� U��AQ� ,ݰ��&� Z��v�3�5{���C�v^�_�
+�
+� �P��$epBe k4 � e(n�S0m�&��Q���H����'a�`<� n��q�yP ��_��#4wZ��U��U��&�bsV<��QK��A"	���:@R0 %T$�lR�B&Ɏ'�W�����l.�\��z��e�����4�&,T�efr  ��� �����@QD�Q|�mLp}xJ}�m�F]��QxȉQ��V�� v5�0Y?pB�0 't	&Y0iB� � ��0��X`s�� x�0I�;0�Q��g7T�(N4�)�9���S-�`�����`���r�@[1�E�r��H��k�� %NQ�W��P�iT��Bn��(4 p�7�"ԒR`���+��0����ٕ+��	@iט�B �V��09�z���Xf
+f�B� �/ss��\(�C��o���J���P�����B70p9 ��0f�@S��
+3`�`>�p�0 � G|eK?�*	� H�PZ�o�YL� Q��tȉ���F�]4�p��!��%�	�T�6�t�� �\Uo� �Y4�%g��ql�P�# Om$��
+�` 2pl�0 3�i�e050�0R0�PO=�l�i(Q"��q���U��0�s�G80Z @���v�և.�ɔ+Dp'j��pw�a$�w���	���E��+��+_�|��s�R�� /�
+��	��# ]0�>e�M �>� �`c�
+�P3P�:C&�����7�I��5pV���PK�G�F�7�̠�w)v�'K���;�/S�o�j��i���&1��E�s���@�R.L04? ��`�@��� �
+ �`�0# _� " l`� S=@�#�!��:DPz��r/J4@	]���~E3Mze�k�T��4�Dp6iCB�<�?{W8Z��y������M$�$"�2�.9�4p��bjB�0-4�  
+@ 	`&� l�� E0w��t�
+��OKF�L(�@�����Șt�`[�Ш�7�����u.�@H.�RZr�l��b@N˓�������gi�R�cE�k�#)l� _jBR��@��
+P�P� w�u��|{�S �~�>�"-��X�Ta���@A����Ŕ���rex��J���YH��!�)����~b9��������k �EȺEx�R�*��5��Ы�0 �`�p
+P�ś %��W`�0�+����+�r%L�w�;t)@~@.P��S
+Q�@��S��xc�W
+\`{��0D�j �']�����1X?�X�0��Gp.L�ua4RWd�T�� 2�	[ ��	'`v ���P,ؐ�f�c� l�߷O���$���	T �8���5@�KP�x"��"v�J��X?יđb�`bBQKxQZ��U�X`�A9�U���T0���z�R
+�p��=�dT�-��@ n��g�π�@	_`��� 30��T$�*�h�{�r	�U����pb�ߦ8Q@��Ɲܾ��F���V^���'+B^�3��W��Q�:�P�s2�Q�b]��Z ��
+s =0�Pf�Ͱ���0=@	=�E��![쀆{��u�d���6m ����1�ȳX8���<a��É'r�Ec�,�M�0V��&���Cř��$���9F�^��s�����c@2-����0=��+�a�� P�Y C �[g��xK�\8mɴ]�G鬭� 9܉��@0OUL�c�04@��ԇL��e��P���ρ���a�p���<y@�Arx_�AI�ϓT����==
+# uP[����K v@@w��f�
+��F��!0d��BY���ښ �3;�T������:tId%��� �����	ߐ&U-�P?y�)��19��Ж�5 I��u�x%�H=0�A[����(�`P���≰���Jti`� *;�����AMP�6aW�mE-P;���StB��ق��b����6�T^�`Y�� ����:���*2���Qp��L� g��72��kP�Fo@]���
+  v��
+�"`۠
+)�Dӷ�q�\�� ��XX��Sp`%�+,Q�?^8Pn��F��S�Ɨ�����`b�1D <�q���j>ZZ�	�,˸��(�Qp�gw�0{��9�_Ϡԅ\�1��������;`6g�	����k��P"��/�N%��Е�0� �� F���{���P-=0��x{�r�  5�j�F ;�㨃���?�p���y��uP y�`4����G�8T@�)��[�.U��K *��	��` �  #0S�``�ϰUp?)�L��e�$>�,@���sv!WL� ���@�}��;{e��
+��G"�����d ��G�[�Z��Nn�^Z�>�0�� ����dL ��󽰕�P�l��@"� t��	 t�S���;`��!K��._�|A\%�?�. �b����(�D���޳���b �bP�A ��G��5v��������T���1���=��@+��������
+����8�@
+�I  Č�=L�"��ŋ��h����%�`� g)U�d��'N�P�T��[�4���̛d��R*��ox��3J����p�I��)�����=,)�j����Y�iծe���[�q�I�F:@�ɭ��oT����п NR�����=�s��7�s1>�A��*��4h���;6l @p&�k$T�qb��Q�� S��35Q�B�j֞4K1�B!�I�+m�\�3�� ܔ�˲����ha�Š��tH.�S,S�af����` ���� �K�g�k�F.�㺔`��Bc	
+h��-���Ha"�L�{�q"atQA��� �0!�^�ǚ0�y@�*i��~�gN(� �loBg8�d�H�pAÞ�����C��8z��� ��L�5�[���@K����6Ϥ"3S"�����F��GD@t�g@y����� ��8��0�� �lF����o�� �A1�g2�c@�9
+(l�B���qV	�	懈��ͣ%(@-
+jIb�t
+H�A,) x��		��	��"@���H@B�	�r�ʁ�:y���8��7B��^|�"Q�(�`��\�A�q��z���K7$��N:j�@$q��bT �X]��ck�����(8"`hn�b{r!&i�놑08o�C�?k)��@�������$:HyF(�\��l���$
+�VJ!�
+,�(E:_����=��䃬ib$1����4�MNV0�QA�)g�
+TH�:�xq�&�B�)Њ�+���[n���(�<�lra�(��֙(�N: 񈖝X=3�iɅz��������%��(xo�~�י�33�y�5#㛴�`�\^#��S	�E0"�h�;�';LYBp+�@�_k��"	N�`��$5G9� �s��R7����`B
+�WТ��tJQ��� IU���G���4�� �@p%u�9`S7��]����B��wC���L��
+0%�L%ʴ�RT`3�3��� p専 ���D��4�!��ZY`,�J�T��4ޓ	Q�dE�I��A�P�85a�? p�/q��qCۜ�� 8����t
+�B"'a�&X���C�>6�i@�9$%���lU`w=�h�����n9��!�p�C��� E$"a� 8��0ȯg(9���QA��)�3����8�\�pC��8�o ��\@����x�$3�7do�T�YNx������@��@Ē&�؀��aW��aJ������0��8���	vCL�T������H�4a8AK9 �0d�4��l��bu�l<	\�� 
+(I̼�7܃�ÜLJ�@���I
+���{�A((����љp"2�� U̥�Q +~)4�5?Ѐ�)	�C��@��kق :���&M`�Q�D�x�Ђo�K��@�\1� �4������"��sm��ɬ(~��A���9�7H����̫Q�� �N&�<�-�i�0!Sޠ Z��������[ ��1a�T�9� !��RP�ky﵃�&8�Ի<j3SI�7�P��<��3$AY ��������+\ �f�#lrha+�
+UR:o\�2c n���Nu �
+F�����^*E)թ���|~1��p��HqC{R `w�̀�o����W���iA�� T�4�Vp�7(�I�!�q
+�R�}M�׀��NI rrP� [�BQ.��A@T
+��!��"3N�[�����.\@@��0�R��eR�!ǻ����%�Z@  C�ɘg�@�>�Y�A�Fh��9��#�� 1���(F��\��5&(#`@����� ��Ϲ �pF:��u�����k��B� ��uyF9]F��
+U�Xn�jQ�[3 ��'DPi@����Y��F��̡�0��\��� ��#��� I3�dp� �rp��h!�X��� �Y�nχ|�<l 9�w��
+H�+� B�@ޕ�-�0���D�Pa����YQ�l��d��nR+�vh���8�$�5c8�8P&ha�JA6���??- �^@��C�"����/P
+��[|`s�F�sÎ^����x'!-��r�h���� ���Ǯ�ξr�   =X���8�.�{E �h�L���aun@ρA���{(�S���P��|��.�)޻�<0C�'�ly�s&:��@��o�	
+K�o�����l��f��Y��D ���?��C ���*@޺�E؀�� ɪE�>J� !�7�9���ѓ$a����F��D�7������ʡ>@ӣ?]K>^ {1 �P	�]x=;t�:Ѐ�@6�;��!A�B[���*��:�9k�����p)�<7X5��� :��(����`����/�� �s ,X� @�@%@4 @��N��{�*X�C��d�R~�����
+y���ĕKh	�7rۄ+tn(.5S��5�s 5�C�j����]|(����" ����J �OŲѷ��J*���{ �mQƕ3K�m�`A,�S5=�
+ <<�	��)�,+�%��P���@(7�F����q/���(��#�C%~52�91���x�%���N�l[��u�$3 �X�Gy�)P���l���h��0A�U{0��!Jy���(wਔ��:>(�� �d\�Qq؆'���5"脏�C�ӂ�C^|Gh8�P�10���!I�P�  ��M䕔(�K�:�<���7�@��P��Sp	��Y̵E`M(�<��xl0ɬlSH��6���>���r�p [��9g��}����Z	N@C�8��8�5T��<l���3+Ѐ`�hD��'@���E%���_S 9�-�ė@H͕�1!.l70ȪL*��ġH�&LC���Z�P{�.p�D� �Ä�"Ѐb �Y��@���<��  �9��$�oX!�뼇�L���,����(PZӂ�(��@( ��x�0P z�}�τ�?+p &P��E?Є�8-R :(�ʴ�|	�Y�ֱ�TD�` ������z���@8?�*��Ӱ�_@��s D��]T�`�KXNP�U�I$��ʌ8Ф�pX���%(S�y�DQP��@H�ń�;� \�C(�y�O���9�+�:��:Ђ�wb�:��д�΋T|y؂�n�Df�Sy���ܼ:I��E?�N��-bUAyXZ��BҔH?�F�<���U{��n���Bf�R	8� +�CIЂ'@Tf8��JSe�@�'<�Rط�����,W���E�Õ�fx�����k=�6X���Gz4�0���R9�Ty�{�PU���ĺ��� [��r��J��e�
+MO)�R��7�7�Jʒ�5Xl@�n=�C� ~E�!F��
+���Y�g@�	q� �&���W�H���S�'0 �+X�@��%���x�'�� 0���U ���B�Q�4�:(,>
+�`����x�4ed�o�2`�[� 7�/]J8,]��D�'�G��س�Pp_ м��{X�p( ��A��(h�����͍ZX�V��C@���٥�u ��_��X�A�O��'���h��=��Օ7 ���ڐQ/����8�gm^�����I`�7��s���V�]�"` & �^<T0� ��M�!X���^��� �� G�N��c!Y `f��1�7'��5=j_1#+�??@yD�D����D(�}` ����[�@%���SX�I"p�����܀5h�|�M@+L���,H�����,|�"�~a�}�H5�5�\TX9c 8�]D��=��}E�-��r������� Սc�$
+x��6X�u�VI�ǭ��0�gh�8�U�c>NZ�С��pw8ݠ��I��[���C��`�4I%h5�T 3GF�] �OV�8�'J��$(��Y���"Rf+؀m�E 7Shd-��]��^N�{��p��
+��g.P5��I�`εWuL%���q �e��4�f�Z����0��d`(Uv�%��@��Y�ET���@����1�{^E~� d���dMh�~�hՁ�&�RA&X�$�9��Tx4K�^��j���TJJ鞼���68�]d���68�t��}�!E�i��r�@�{�	�h���o��V�i���H ����.�^��0P��`3�F�:����=�qLkH� -�j+Ї�Me��\s p ���U��I� ��,�����,��$�^~)Ul	����Jb�@0C��'� �`�x�� |�f*�#�����l),����6��b�GD��r���X}���
+Xf`	�틨� 8�R�7����a5�'��f�� �.x�D`؇�N�C�F�-��o�[�n*�Vȥ���j���' 苘���GXa�Έ"Cݿ���[�#�m\�%x�_ ~v�2�mA�11��EX�ӽ����W25��6`�H8�g-U�T���˲�1�O��hK{��Pcpo��~I f-ސ�P�N��]�K	l�qy��(���f�.�FT+�L�o�ԮqB�5�(�^�r%�r
+�r,�/�O�4��Æ S䮃M>�>�X5�70�&�mR>�b��Tv�o87gF�8�5�o�@��U� +s�-".��r��q���+����t,� I��R� �k�t��p3��>S_�1���. ��WY��(p�Rp�`F�"'�c��/
+F&'�{(c/��N���;�4��g�t�Z�ރ�8�����o�wQӄ�yP���� w_p����}��+X��~f�O+ ���RB]P�H�
+(t���u����UA8�`���`�qÌ�Хx�z�,�u) �)@v �Sq��~p��;u݋�w�CPƊt�'%  �U��Y�G�� |�σ��(X�)(M� ��1P�w�8��F���zR�8�05 oR�\.(��`(�)0�Ѵ00�98�7� ��K��(0�s؀�0 �6��3f���_��@y�;��: 5���W�����8��e&����|�PX��)aI�%�@05����+���d0��D�����➄��P[E�"8��f�5����!=�{��G�w���e�W M�. Li(BP�ķ
+2l��!Ĉ'R�h�"ƅ�*0��,#Ȑ"G�,i�dF�(h��"l�yր�˜�)�'�> �`',�l����7U4��j�*֬Z+�H�3Q̙B��,� 9�"�ࠠ�B 
+8�0��ּz����������K�pd��0B�lKwU�XEE
++�SWL�Т>�x4�Ԫ)b� !'�<�@�,A��O����T�&L`Zm�8��ʭ~��vRP�j+ [tDK� [JC�����Ǔ/o��4�_Fw�2L_]0N
+���������u�k9`��YC �BeuF"�7!�Z8Q�D���1eQp���)��"y����|hc ��\��"�=�(�?'�h1h(�"W�w*'�֏QJ9�U}x�Sb	ـ6�H����e�y�E���
+}dP[""@��E��`�&h�'�����s��Q�	 E !��*:���!��RŢ�ZZ)��d�@ �`ɥ��zfW* �v��1&�9*����bK肘Y�y1����ڟ?��jA	��4D��,��A:l�e�1���Z{�q}��R�d6b;.��U��ݮ)�EpP.��j�	�Ip ��������IϜВ���& �0�u��~���,L�0�C����Ū�v(�|� �%"̑-�����1c<	�ؠd� ��=��@1�����I�N,���eIVčJ[��)�$�KA��R��^=6�zء�.1$���	"�
+�d�=j�i�B|o�97ߡF`�-6�� k�7����	��+��%>y��@x��)����0�e�Ş�n�	�<3��������̒��e��0���.��� ܺ�b��KK���[�3��D��*?�@�<�c@=��U�ʪՉ�ݛ_^��_�	_���j]���6(?���a��YS��c�8K�,q��O���`]�A�.���	�^�r��X 9
+rp^�rI����b@T��
+E�>�^8�Ȕ���D%'��	�@���B��Lp8�"߰�z`bX�~E|�D|��!������*(r�!�XWK���������F���,C؅D0�+�fok," �4�Q�a�@uG(2-'{��A�0>���UH�!�s�����E�
+`��I�%��$b2I�D`Q&2�E�>	�m,��� Gl��0� �*e& Q��3��؀��2�W�LY���� o��1I V�� E�R���Q.A�/�U��m��  cK����,���PX�"���q�Y��� ��%>�'i�D`�P~2��T˅
+�O��5����R4_ZDp 9����h��s���J(E%�bdL��}�S��@�����5IfY�5wQ�����j�7�T�	2��.�!ԩv�Jf�CBq �q�1X3uqҲ��ܐ�V�YЀc��\��$��5�:CY��+�ӯ�{F�I>��o`j9k>]H� ���
+.�a�|VJLH���f�R�
+�`�!�vz���  � <���`����m�����d������2���}.t�+��R��ֽ.v����r����.x�+�񒷼�=/zӫ������}/|�+��ҷ���/~������/�lހ  !�	 � ,    �K � �	H����*\Ȱ�Ç#J�H��ŋ3j�ȱ�Ǐ C�I��ɓ(S�\ɲ�˗0cʜI��͛8s��ɳ�ϟ@�
+J��ѣH�*��(K�J�Ju�f*$!�Yկ`�
+��ٳoq�1�M�۷pa>c�Ϭ�o���h��߿!T�K��Z��+^�p� �C̸�e�-C�k�١ˠC�ma��f����hV���F�كpڬ B�>#���-h�N<��
+uk?�P�?BT��kтG���k����8ʟ�����_� �ڨ1G@���m��=2�	(�=7v	��=�H�3U�� <��83�]$���h�BP�$QE~F<v�Τ��7�_�4��T4�B���ӂݤP�i�	@`�L�� �Ј3�(8'�WG�ԑc
+X �a �M/e6��JߐBX`Q!A%3H��3��'�Kf�;���έ��H����:�i�VZ�c� �3 ��Æ�<c�3�͸�}S�"H�i�.l�����0�G� )��YA�1Yϴ`D��F;Q� ��t��Hu�A#��k��B�)\hW����3��6�L����:��*�\Zȩ�f-$1a������h���k�A�@��Vȍ4,��3n|kd��!S�(	aq@�On�ܣż[�V ��oǒ�Q�Ro��ű��Wޠ{�3B���=#�P�,�P���@w�-U�BE�#\�Lt�4a��sϩό���j��?�T��/гzC�`���F�KX�|0��v%�>� �d�w�hi�E�7Th �R��"7��0~��Y|�Mw�SJ �o^�l�݀-���z�r���Y �C��Q��V�;w���p#�����_}��K��50�r����f�`�M "�l���Q��C_������V
+ڀ�g�aD�3g<�,pF)�'@�|��ֵ��nP��}9�΅�0A&��`����$��
+0��A����2hD �0���BX؀���C`�sF�����H��� �@�	�� �� h�(��(�5�H1�(X���(0"~v9�-`�~�p�pAE�p&����#֠F�Ђ�+��D���.A� �� ��by�?� 
+70���#$X M1�Q�6) ��u�� E*��I�GXɃQ���#6p��]F��k� S�E4m�y�E�����#�@��0��&������~�F @7�+�>�D�6�҂AZ�\X��1�Y��c��P,y�X�
+`h��8��C�h�������X(����o� �&`4�VԢ�Ă��O��c� ����`�waƻ�P��t'�PI���%��E8�7
+��^,T4���Y�>��c��@�TR��So��#�&@Qf�_�pA����@�~EWY9s٥�
+��ݠxȹ�� ���	� Vb�
+�npbQ� �*�k��Z�������T �`ٖ���BW6� �h���B7`��l��ୁ@`-l�zx���Y��S�IT�0��4H��MI;+�`����AįT0�P	Z�s��f�3BX�[��#��+3����܃�8.{[� "
+�u��R"��m�8̲@��6�&�V{`��l�I�h��oW��{�#D�	�J�k� �O��d�_�f� Rڲf�%B^P`� ��i���XR)��hP��� �e��f݁�%��) �m.в��r�	�u@o���p���\o0" c�"�6!�T;���Q��C c��[��Aí�7������fB���e�B�@3����R��`��!8Ջ�Aq�x��*� \�i2�X��</YR��@:�N0:�L�lֱO>����8@�,V����� ��4�^v�O=a�  Q�C(�\�a����!��DM�]���Qq��1�,�h���^����Q���m�g�����r�⽺��Ѐ���W����B�A$(@j��W��$�7 �8��P�y{[��'��5Рg�89�&�����uy����uk�4#�`�z}��ЬZ���p�?���ΈRPa4XC M(r���h�\0ޣ�x��@�E�F��x��]��5��^Z���	� h�3���ր�/v#s��m��b�RDA���� �C��K�ܝ��8�L����
+ �=��)��&�A�֝��0��ba(,��2���'�m-�-'F3��( 1ha�0HA7b9K�_ �kD�1����D�@�e�!� ��{���w�'Qu�]�  �g��J�'}��	 +WB��5� ��q��	��*� 
+U�`E�y����LpwZ�w4�J(<�G� mf�Sʥ�n``k���QS���1�0.@-H#?4��qpU@M�pw
+(<T�3�W ��.�G'�cqR �&��k�C-�t��k�(��$gB7�At���c��~��0 �s�q�HG'' �c�P���BD��kZ�	�$�Q9�l��l�i���yR�0PD�Ѐ�k �P�����^�s���P�f��lS�6�'�@f����cJ]l�4�3^�?#X.�/wf �Q� 	�X!Ń|#�TP �`���v�o�e�X @0���0+�_�C��ь�s��@9@%�D�M��h���׏q� �PF��k�P<qe F�{��e�phI���B;��v��������^$(;.p��Fq@3��]4�c*x�j�w������\Q@�W�y�|��[-0��-9�uݐ��=�Y��\��|�vmZ�St�yZ��9����0%Ĳ	)�4I\u..b�u�}1m��p.��^G@� u�����t#~���/��A
+9�@��t��F��I`��q�"'k��F�z�����P$xw@a�L ?̩��� ]���@G)���4\%')���ui��0G��짜�u����@��HT�Z�40f]�}���'������f�U
+��`H+��!"���L5)Qp8(�/�'��I����9P��Q0�Gp��D�R<؉>XP+蹠	�K�݀#߷�y�i���v�)�a�������sX V:�����ٜ5JGq�@V��	�>�2�P��v{�1(ĥtQ�X��q�Y�l˕����	��B@�3�Ox��DK�\ *�֗z���b�a�Z9 �� �T ~�1�L�c������Z��p>�+��bq@�Y�fTeF��f�P����p�^��/���{������d� �ʫ�������P�6W�Ť�	՘�YPi�+d��$'��ڭA��z�W�F�����C�1T���O4%K ����ߠj%)�@�;�y溣� �p�aR�h�~T��}0p� -����5+?�k)���x�� �0# @;�p�0#0�P
+�Y��QّEi��v�L����1+�@gP�\�x�X���@�0 ����k���j�	�P#0
+��F� ��G��R�c��	����X ��� ���Zp6�� �]"D� $�	$������ � ��
+2�8a��p]�Z���('�W�#�w%8���a��A2��.�@��/0�K���� 8��Ϋ�� [� =� [�	9��K@GT��T��U
+� &�Kr��C���Ʉ£�oR gdf��m��}a���c���������{�eP��	�� �������o�hQ����;p���
+X-<C!�|N��:�狉����$p4Ø-]��u�: �켐0 �����;K��qlK�$�UX�Qj�E�3�X
+�x�Ц�
+���0ܻP�^��՟Lp����V �p	?켗0 [P�FL��q��gKP 5��r�?r��O$d0���Z0Vh4���.�nOR7��� s�қ��L�
+�����8yh;��&��/.0ZE��e≖�
+������	�L����+��f9���ȉ>�wt�R  Ʈ�u�k�d�PF>���c���˛{	�@��=`,!F.I�0�̪��" [�����i��2)�]CU���L�$��[��� �zs�q95@�:�4���X��)qX�vZS� 
+ #v� �,��|	e��������$�{�T�qJwoP	|��Q.r����R�"�v�
+��:� �˗ 	
+�І��1�Qy����`F,�w���@m��u.�je�H:@���-�S=�7X��f� LP?-:wh|rz������ � ;�/� X���S>��$��м���=�%�@@�y]
+(p�JGp��5q�}��	w��Ʒ��1) �˟���0��4!�Bfr��P9�  ��ٙ��� �=�0����L� �]��@��䭀�)��N��o���}���7�m� 
+�@��M�ҋ�F<���`x�u����8��f��X����S���&ԃ���0C���ސ��j�
+�P�����߆�
+!�d#�u&�Nj���	 ���o�B��# ���������e ��R��[�
+�`�`��([��p;�~�\�D ���-NN�P*= n��R0 �	e��[p��`��|������_�����X��fn�;痐�	�pГ^�� �p	�*���a*1�Q�}���x�`ՇN��o�r?p	�� � �� r|	?0 ���R�際	e��s�	�p����@&��G 8-:uZ|��tT �!ֱ.A`d�88� N��> 	}����w> ���� hk�K���I`��	�>�`�0�54��/��tQL,�K q���2����S# ��	KN3ՠ
+���~��? R����ِ�P�k����Yj@Q }
+������DV���G���S��H�@������/N� 	�0�$��K�2@��A�e ��; ��#�[0�.� U�I�eK�w{�7�#,���#X�KH�����(�o�O5��7qV��� �
+#@� @�2p���p˶ePc ԋ��0X�Z���M�X<_�X��P�����\. 3����3��  � G�
+��_P��n; ~�Y�0_��= A�j���o�qbw��G9 	Ҡ
+��
+��� f �
+�I�Foʮ1�@��L.3�J�0&���=�=����G� �%�̤I"��q���K�1eΌ�#&TH}���O�A�%Z��Q�I�.eڴh
+�dค��]_�� ��k�4,��@�@�iو +"K��K
+A@��&=D���_�2mb��F *o��t���cȑ%O����>��4@k�T�񪀀�1dˮf��l�������oy�0���[`g�&���hxC���ѥO�^�:�g�\��
+Ǽ:�Ҩ� �+4eǰ8�%�6�W�)R���="�# �3�耓F�s�	&
+(����RD�	Ĩ��� ��:��CC�̟ $�T�1N��kJ�0��J��b���8ࢸz0Ü��H�?+�"8�)��H4�`�)��@C-���
+K�!o ED2�4�L3	)�\��#��Cf1O�T��i(���BvQM>���0*�䐡�ᡤ�Ԁ!��l28,���2�ISM9%o8Ѣ64SUuUV�zs  Z !�B(������Bzh��0���/ ���!/6�  �.��%�8���Z��[p���ERh	���	��C��T�� ("�`F�V�t�Q��\�jA N��(��ZkIu� 
+�h�#q+����`�F4 �&����^�j@�H�,6��.A4QC ��^x��I)��Ὸ���A�E�c��vz�7
+��%q� ��;9!�Һ�je|�F�Lb��_zj!��MRc� �(`����ۅR�;F8����(�2�(h��i�w�(r9���x�	T �4���� ;�dՈ⎞¿��(gR�0F���,s�v7Xc-( o
+�|�x����ƙF�0-�DJV�Y�fU2�D
+e12�� }�`���Kmr�ﾍo�6�S,�x�P���d�N0#�J�  p�<"8�� �0�@
+8`��%���'��(p� h�c4���P���$��	�#@"�W�{UPtP =�ч�c����a��d	�� \@��0�@)P7C0�qU��R8R �O^�@`(�d�G:����3	��( �Y�_8���_c#I�o\���A,`�4X�d����������z �� 7�s�� �A�D8��T���
+���{d/}�!��'��# ��0X@�!�;W���"X���3�P�(�`�R�)E ���S��+��6������dg;��2<���� �\r,���3�"kD���F6&��R.�&(	*DT���7SP
+*��htx��t(��p�&���"h �?�h.d������)���\� :�S�:���P�6X�a �	\�Tk4��(�M	�l �0jW�j�N, �8j9��(����Z��	P;�\���M��@,�{�P:q�t��(�Y`����HY�L��S�S(�
+)��-T�� �p&Gx�E��WԢV� �. D6y���J�`�@�8�S��A�����d8*a`4��$9�:02�ӝ.&v�	ז���b���0�'n}��0GX6"��M� oS���{��N;`�
+kVf��z_�y�[�ϙ�V�iq�A�Ex����p�g8�m Ǯ\�? ���pl�� l@qf1j! �*���f�l?��Ө ��T]���$�
+��i[|��!N3���4�߸k(�6�%
+ �v���"4��"Y�?e�$���Z�bp�]j`�LĶ {�sR���s��Z�oH��u ����k����h���h�7R���ϛ��7*��6z�m������$�"C(X��(��F��9}�~C���7̀@b��x0���PD�?'�]��#�u���%h�ׅu�Ip70���B!�ؠ�
+P��k��]������	 �V�7���� ����B< �[��#�0�^Z'a l�+	�@�W�0�I �� �'9-Q�
+l�
+���d+hA	��8P�킫%��5q
+'p��#q+��J��ƇQ�('BW�Dϭ>CT�z���"^�6��`&�7�ڠ%� �	���3��W�� Q�>H�f���g�@آ
+#��\ ���}�~�G2�`���u�<ƾ�T�L4����b؂F�����x�?!�@�	��+X��o\0� ah��hN�9 ��`��	4�): �!;�g~Ӻ �=eu �Ft�����L��TG~��'�xЂ� 
+V�6�������@�K��w�_��2&�����5ȸ��8脏x���;�?\�S�?���R`�m��Ը@��h���@4�*Є�� .X�:4�}>�C���(�����A�Os,a@f 4x�|�H���0����1x@�B�Ѓ$�*X���`_�� 8@8={�g�>Ȁ�1��B8��*8>�Zp .8� DpA�j�_��xl��:��L ��@���CH���*�7.���1`�AL��K�'�������1X�H\�ƀ�>x�$`�[�5x�L�0"�}� . *x�9 �X�g��7dEe\
+L8� ���' ?�87 �	� *@F0�2�'6�?��IXFt<�.0pB� ��Qs��2d����=G�(�4HG�
+S�!(�+��+�X�H`:���Sx�(�����ȟ �
+���KH&���ڀ��A����ҀP�|ɏ����s�n���[�����bD�<�J2pw��0�A$�{�o�1�$�+Є���� �3�A�L�:��.������ʗ�l�=��r��A� ��p��� K�L$��s��ms AD��L T(�?�S�ˌ4�t�X`�[l?Dp���A>��1� ��g`L&ۮ�6���d;#��Sh��1��L��+J�D-()�t�d;7�K�;���"H��\FO��4�E%�"(�m�_��'�ǎ�1�rD�(�e
+hLnS��N�L&�Db��'pK�� gA�\EX��l2���;ɤ�$dώ0�H5Bٹ���{�O#t��D}�O�C<������# 6`D,�8D�5|%���6N ���8��;�+0>��g j�� �Ȕ�݌P�y1K_ ��CX��7�L�%���*��y� �C@��I�D���LA�Α����E��L�Y	�L=��P��P�S���<8�����{���]��!`�n���X[��35­�>5��^i :�PC��gX(/�35����C�B���ϑ�T� ���Ah�F%40QH�8�Ҏ� ��3�s� �(X�PMȘ[S�ܐtR��Na%A= �h�v�*�J|THE�(8���
+�P�����/@�(��d5dV`Tf �.x<�`5DW��/�AE�
+��nUS�FH�J�"�A-�>�U�KE ��D��Q�8`�+й�� (�+Μ��3��3�؅� hN#�h�C�����)9�����YY�m>L(��{=�X(��2L�?���� �d�	�W�U�MZ�CG�3`�0Y1�  (�X�1��������`%�����[ �ˑ�S�vsh#��@><��� R��=S��	�[(	~<�!�4h7B9מ��5�3��%9LX׮���a�gj |�λ�3P�;h 8Ph�����o������8q,J[���oPQ;��@>dc�^�� ���=��J�1hՐ���W��7��^yp�y�s)�݅����� �7�\��:0 ڼ����'�e��  ����Ӱ��`��Q�qZH�~��)�����@; /S
+^�N�ݮ��=��<�4��ah���{87S 8؅*�K�0�	
+����X�8�Q ~&Q$��s\��R7��(�4�Ңx �������5y�����ۅ�,
+T�
+%Vc�� h�
+��8�0�b�x�4�W=�:Mx߼��𧕁���K�E��o�䩂~Y�I�"�ͣ0����oY�. �g�__T��@U,L�a�8��e8�~��h�E�PL����� �*Z���dd�=� z�
+ff��	��f+� XffN�1�o��* �� G^4E(�=���bP۠����� �k^a�(�*�g��Z�{1h�^��=K�������<h���?��6�vZ�����M�Uȃg�ӄ�% (@�N[0d�n>3v,�E�Z���i���`�1(8�w`���4H]�h����h^�2	3��c���'��ϵjw��2�H[8��k ]��<���c|a�&ⷦ=Эg�\�E��s(�k��h��=(��3B)���91�����ǎl��YH�Ʈk��l�� ג]�	1(h�m1�����Nm�{� ��Lئ;̣�8��۾��
+� ]��]p���*�]�kM+n��=���b��920 ]FI[���4=8��:9x���6.���i��V�q�
+����Ƶ�u�ei~��((��+�o��(p3��R�ok� ���!���o� ��8��/���/��
+G��%��P� �p�仂g��L5�1��݅]8R`3��`�]06��G2`n]��HK�r�~�]�#טS&��Nxr:�򹕃����1�'O�*������/s�9�'P69`��fs
+srŲ�H�+`���s��s�� ��"�r@��.@�<a���D�.f �� 9(�7��H�+�u3a�t
+��M�.1�U�
+2���*r�]��nVw'��څ�1qH����q���+��uo_輻�!&v��c�)�}u
+�p�g����e�= �H�k�om0fw�ow�o�iG��>w�
+�`�s_�vwGwo+d�s �z�m��G�~o�*��.�P8 b,����J5��
+w�^"�{N9�w�g��\���o���y�����:Fyw���e~wyvJ����f�yw���Z�����<z_ZtMR�6�_� �DH�4�Be�_��gv�D��F�/8� ����F����. KH��{��{��{��{��{��{��{��{�|�|�/|�?|�O|�_|�o|�|ȏ|ɟ|ʯ|˿|��|ͯ��  !�	 � ,    �K � �	H����*\Ȱ�Ç#J�H��ŋ3j�ȱ�Ǐ C�I��ɓ(S�\ɲ�˗0cʜI��͛8s��ɳ�ϟ@�
+J��ѣH�*]ʴ�ӧP�J�J��իX�j�ʵ�ׯ`ÊK��ٳhӪ]˶�۷p�ʝK��ݻx���˷�߿�S}�L���#^̸��ǐ#K�L���˘3k�̹��ϠC�M���ӨS�^ͺuC®c�T,���۸s��ͻ�����N����ȓ+_μ���УK�N����سk�ν����Ë�O�����ӫ_Ͼ�����˟O�������}�P�A�����e���B @�? �ЂF$���3��a ��?AA2�� "��"��aϸ�!.�"<�⌂=s�-�#I��#��=CJ�?U��!�}��jH�b��e��Pq�]z	�7�͘A �L��� �Dp��-܂�w��I��g_ l�7XHR � �'Z�ræ7�)<x��+H,J�7oh�	7�L������ĕ_����H!e�:��� �/�����A�������?!n��+��4$t�-	���N�� � ��7P�)�Q���Tp<TaD/<���U1 �2�$�;�&�[<�,�T3����ݤ���D����BU��fT�� �9+��%el�C� ���@p��ΤPμR���ı�L�PJ:K,���
+{��'4�@�ՔJ1-k����x�P�?9BPEb.��3�u��`��5び@�R�E���jd����?I@�T->���o'I�t�m�(w��.�K�j� @F�P�'5�5d����4�� �����'�h7=s�%�jd̤=T-D��(N��-$�������)���R���D� �9:0�<	�x"�'�_��4�S[�@ĤR&a���
+���1 �S�Ԝ�BԢ}9[p�hy�p^�¥~ru�H���Z7>t0,}����)�]�X$%L�'K��� �!l|$x�W�c��4�\
+�$�&�.	?�C @�x<cq8�$`B�o�`�7�����HI��O�������aI�X��v��?��g8���Q��ą
+�c�(]M�p&���[c�.!�7��V���	!�1�F:�=��!��C5�^��g���P�IX�,v?К�q�X���؄I1���F@�4���5|��JE^n���1ˁ@���v�K��-�; �lA�������]"�\�Q́<�z�����	��!���b�d�P����!a��D��AY|P}���@���H� E�Z�Ł@&��H�a ��' �-h 	V��x	�a͇��?(��HI	�����;���-y� ر-5��e��nڭL̠����.!�2��@0��u �� ��#1��!rG\t*��2Q��a��!�-H0�#�6 ]-?8�[�@�~k�?�:A Qٍ,EN�Xab%�`�Є&���[���J�ܦ���X�E����{ 57��7l�x�]1>$"�EIf�5������*Ra�9�2R��y3q	� P� qK�c�Ѽ=�;Z��m�c�ȰW� �-��-�/����$T�k ���*��iH���L��j�`�X� �[3�w  XC����!�E�DT��Fb<��)x0f�(�{	 	t!���@�j��_���.�5��<G�b���Qި���c� �	-�EBg���$���2��ÞHE4@�&'���E�`�̠l@��EP��x�f �2�cZTs���g��̈́10�!2̙0 2���A�V�`R��Cr%�yT�sȅT��b+`,�2pa8[�Оt4�g��T�J󑊁�b�@DB��3fQR��@��� �{�'<�-d���HD>F��L��p�@�b7@,��.lp���!�xx~�i8^� ���r�# aǬf!��-�
+�D{���;עo�[ ;H�3@ �
+@!�8l21�RX�H�5P�DP� ��̰1�JC["�reG��9H��Ct�(}cl!"y��P�gTa��Q͟�M{�=
+���yx�8� P�m|@D'�"L�/P���B�� �� �!�e�����[Q�ln��� �E��0�~�(	���`��5���
+��� ��3v��Bda����3R�J�@�����⫹��9D�y´���3�	Sk���t6���N��)���?��W2��A`l#Y��0i(�@
+�;=��G���L9��3rۗq "��#b�mS"UPoVP����f@q��	�0� ��F v�Pht ilP;�-4KP�їu	�#<�z�'s� r�y.o9�F�K�I�@��!M0�` 0vpglx
+��V� a��br�Y<���?�"APW:2L�U"�B4�&��u(`
+up@�@ `,�hl�8�Q�7	�$;�ІQk�q"2�#�@���T_����q<;����1Pp�Ppa�
+p"`6�2�4�%�=��q9yPI��'���FbF�<����|`p�a`Wl`&p h`9�a��>�01��YZ��Ō�����
+("�81Pt   �fpt�pE@
+ U`X8P3��
+��Y��V ���^�< <p�axD�p����U 3P�	�\4�B��)	���^_�  a`6�eg����0t�"y5?@y	����ߠ�pHДN�K�Qٔ��V9��#� i �
+�^p &�e"�����P�G3�U���Xi(���K� 0 	V� ~��P���9�y���)�.�	0���pGV 	��K��0�\��`v �' ^`P'i���(��5%9n��#jp�{Y{cG��.��X��Y  �@@k9��0� ̠n n`�;CZ�T ��	����XY2���0y����& iC��i)֐ fP��I��Z/� H�%u�Pv��KX�݀.P
+L@��p�p��� u@�p˨kAu�!�����0`��i K�`��^@hi�����������`~�hu߰t=�1��P��k�� �q��'(������|  <��� 	���(�v�
+  �Y1�P�PIrm������Х��P	�uY�0�/|��� �i��+���x�@�)
+pI`@`H�P����`]8�V3G����3a
+r����``�h���*� p'v� g ������I�2!��G�h�W�!� �5�� 
+�����`��ڈ*@ bh�tpP�PH�wf50I
+��c2��� �,���D ������vJE��G��' �`U��H�@�r[��	�����ɪ �wʚ� W@x�d��#��`�j"-�o3�f3gȪ�mPa�?�A;�d  \@���#� &�4��
+� R��{b�\۵0���6��>+D®l���	p*��� �`v �]��A� �@��82}+"�ppW8mb��{U�q����n a wˍ��d� �  *	�B @����I�V!�P$�+l��+�m`��'�>K�x c ��eE`G�9���K��]����04ū�ǋ  ��+�lg �g��k �0�鎕�$�#6��\��ЁB0wߋ��j �㋵�P�}� P6I��P�Zt���D����k}�e)��¦ ;��j�s�! �P�\$	`m�+���(�(�(p� r 
+�u�J0@��� �:&4L`���k=8{�mp��l��O <�P� �@��@�x�ӲH+!w&�Z�3� �;��j����j ��}��0l�*��r+	��mJ��kl�� % �B����ߐ���1Lj?< 
+r!0�- �[8���#�ZI*+��z��4@�,�|��倱����019�,0A'�%0����c��T�#�`� ��"��/'���� ��/�D� N`��́IH���H�m��tڂ�0��q9L@(��Hj�B�%�T]�ìjF��E�2}%$�X8��������q�ń���N@0@��L��!K� 	TO���-`
+* �CP���4�p�!�}��B�Lz&�O�6 �� �&A�2$$��%M$�Ld@�<��	5�9(]��=-(�B]� �`�� ������JpϠ	v �F�� p9���x<`�HJә�#�P&'+  �9�I��PsI����� q@1��ԁ
+�c�=�V �S�`đ��(p
+���-�k`&�����fN��&K)�]�V�F"6���(L�ʲ	L.oL��Wf����&�-5�9;��ۗ����~�	q
+�� P @��4����
+r�K��
+s��#�@L����cAx%	��B�(l;��S2��p���`��p�9|�0��n�a	�݂l�
+������%��g@ ���ζ`��+"���;P��dp���e���0	ahQpئ�  �ٌ(%�  �xW��%�	���k"����3�x���� ��$�C�����d�*yΈ��Q�� �(P�;����~0à������ʢ�� &P��<���'�֪��&�⪔zR$S�$� �n��� @�n`����O�=��ӻ
+���`�Ȍ-Po.���x�W�k�w04]�Is��7ǁT|���@�����p͡<ʦ`�� �Xlh�|�� ��-��I[���������`&����"g���a�������q���F�1	a��
+Pխ�r��U�R22��}L�@��K���$���Q��a`�PV���}�����OPG�`0�c(F�������P����oKﭽ`�N��"��1�K`��@DP�.��LM��L�`d 
+N��C��� @DN_4���x/P[X����%� !��Ȳ���b�  ϼ��p
+q 	m�@@������~P !��Hl	qg�Ђ��nO
+k���\� �]a��82\ �� �����.�������An;`#6R��/̸|� ��$X��A�	.d���C�%NT��TZKʕ��悃�!E�)wA@9L�<	���1�yր�CVA���^ 
+K�%Z��Q��x���/�QAc�L��CO�n�z�P!U�0�!$H���8³�q�Υ[�.�.�
+@ Y���H�$�΁�P�����<�<�pSA�"	�"|Fk)���~rO�� U� �ʣ�Zѱ��Aƈ�!;��v�o���� �
+$"��K8$�6+ �c���&�-Ѭ����0�Bp�F���-x`f�B! ����_#��ݹc�}�i�w�(0� �b�8vء@�t�#�x����M<;���*YB��D������E���� =�x&�@�;c�)��j��^v � ��wx˖f�c*���=�2KP�0��vH�� �A��-	*�*�ۂ ���Έ��`W<�0�h�AQt�b`�{d:����"&� �$�B2�����
+��=.��[l��"CN���C�0��$^�sW^�t���\����/I�QT�&bB�QqR��+x��!x�4��h#�V�*זS� B !*<�Hn�=
+�����Wz��CHv_¬(���>a`�gL�TZj[��\���>w�hO�7s;dݷ�8�C�0�R{Cy���_�� "E�臠.�#G:���g� e㢖\�{�%�CL��h��Lbޑ�v��gJ	�0Qv�.��$;Pv��1:���2n�8�(�t{C��Xw��Ƨ�~	&�����z#I"�����#	',k��1��v���
+�57	��ּ]w*��n��u���Z9� ���
+*u�� Cڜƨ�לm��ʹ����@b�%�`C#by�����``	$�g� %�'t�w _��%*�Hq_I�`�%:�pj`��mA  σ�����fxHBe� `
+x@:�X` шntt�-`P�R� L 8X� @ �<<@�Z �`Nۂ�!�A��ŰC�N+l�	Jx�/\�7��uJ��҂H aE�Q� P!��K�@&x@&�G���@��B$����a4��6�8V��U/B�<�o ��7���y�@� Ocl���~�NEV(����+��u�1�0�o0#ҢC,�z=#U0}��r8�	t�F&l Q�@�h�^ЂZ4T�t��.C�;��&{���`a�\�G�f�.Z@��6B�_d-L�&���'8� ��X���=��y��0K2�΀A Q�(`��؍�PY�g�&Nj��*4�L	��fE#���"I�Z�A��
+�A�b
+�'�`�	�1�o$�
+��=S��n4�b����7��7�����$��]�Y�,�T��#@t���C�"�}"	�Щ�L�J�	X ��a��K�&@p�ԁ��D)�����+�jB��A̠
+���CT�}elB�@�r>���{B,���C�1D4�?�q�����0��&��"A��F#��&P  � D *a��B�-�B/<��j�<�hn�z��KP=G&��ɖ	@BK�1t�n��Az
+�,��L'���^B>�]�3�a��sH!C�^���V�`��*g|�Q���	 �c�E� ��7h  �H��
+����Z��C�(�P]���7~9 �"�Ap���9e��2����V	�Z�9[498� Q�'I��.�1�@Pq�* ,pj��ܓ��M�lq�:"ԀE0���%�  �`�}Y�qq��$/��i�XE	�� ��+��f	�&$���v�=G�"��A��gI�K�AJ��pB�(v� ����&ev3�jݶ�;����P�z��a�C�B��	Ox���`�Z��ϲGօ4��F�*�pY�:$0ဃ�B�% JPeg�[��"�q8P����:�ux�1Oh':k�.[P��кn�'|W��B�� @� g9%Ѻ͢�e
+�@����*\�#��7����Q[S��``���e��?b	�vq`0�}���XWZ��6��ha� &I�3�;�����E�p���[�:E ����	��EP��8� P��Yp��	1������{��B&�(�H�6��̺PР~���^��# V'z޵�w�g޳�]N/9Ƀ@�*p]t�s\����5����!a�|�m0��"�;5��14@��n�{�P�ݴm	X�;�G��>�6'��H���\?��w��?� S6鼴�^�>(d	c*�v�� 
+�'�a}�K?�h?i!8���;�C� z�US ��?���t� ;;�� �t @]�3���4H�߻?�	|Ae��?��T A�C����8�0 �	�0X,LBI� ����K��;����N�K8 
+TB0�3q�<��!�B�A_������� C9��I�1�! c0P���K9 A��;H��CCıg����>l�3(/࿃�� @<DM�-S:i��U�G�<4���P���Ml�l���k ;`�Q,@E؅l�'#�\tE_�(1�>��Z􎖲9�� P���Eg�&A�@��Q"@�+V<�'�|Fo��o  �� �jl�D�S� �l�FxP�ā�t46ԭw�G~� �� �3��~<H��8ii (�q�Cc`DH�|*q-�	���[���Ǌ�ȧi;T 	�棝�)� I�|�ϒ���AH��lI�� 86	8��CE�B�I���*7�<���`��lJ��;� �IRʵsJ�t�&$ɩ����U�ĬK�l �T0کA87�|�;� GH	��RJ�;+���� (S(��iɻ��K�$K���4 ��s�Ì���(+�"����]B��L��<�\����&�LԌSH�D��xC ��	���ԬM� �4P�>��D��L���M��|�K�
+��4���N�L �Ś�ddlN�4�*� fH��[Dw�O)�
+x��켇c� O�Da  �L*d�I`O�t[���D ����.�O��Nt����{���C��4�� fP�΋��tP��1	�8������d�o`?�D@m�>H\��,Q�d0HQH�eQ��=�Q��D�SH)�D�1���N0 t�]��!EM=HJ�I�^\��Ĺ��<�F)�L�R���,E�Ѕ�#�1P�/�L <����+��3=L�'-�u|���,�(�x�S������24��Q?uJ<��3��`,=Ԭ|��2_8 �;�](���T��GE݅F��+�A��ԏ�<Ee�Q5£�TuJ�t?0�+�+X�Xu�*H E���˵��U�삁D`�`���� �̋�c�	:��P�]hFh�Ii�9;8�0�"�+�֡,Ji� ����90�S5�xDWi�(�6��j�Wy�F 0J�	�W#��~�I �=�)I_�4	��mI �T`��1�8	�ֈEHV���5܅f�X����k��!%يl3H�59�T(XN��GJ%�xC���H��oG��5���T��Y����/0ԣm�o�*��ͻ�}ZoLTR�ӣ�Y��ŨUKE�����Zx|����e�]8M�}F�U�1�V ϸ��g8__~�[0�ؤV9��Z���S�G�= p�ƝCPpҡ�f��oĄ���:�\_D�ϥ�+`\���o胵]���uEJM�)�����X[<4���]'D �+��V4ف����%��i�H��C^W|�0HH�)0���C� �I�����C/� ��p��D�]8S K����_��_��_��_��_��_ ``.`>`N`^`n`~`�`	�`
+�`�`�`�`�`�`aa.a>aFۀ  !� � ,    �K � �	H����*\Ȱ�Ç#J�H��ŋ3j�ȱ�Ǐ C�I��ɓ(S�\ɲ�˗0cʜI��͛8s��ɳ�ϟ@�
+J��ѣH�*]ʴ�ӧP�J�J��իX�j�ʵ�ׯ`ÊK��ٳhӪ]˶�۷p�f|�L�ݻ5���˷�߿�L���È+^̸��ǐ#K�L���˘3k�̹��ϠC�M���ӨS�^ͺ��װc˞M���۸s��ͻ�����N����ȓ+_μ���УK�N����سk�ν����Ë�O�����ӫ_Ͼ�����˟O��������Ͽ��� (��O=#�+7�����x���E�`H8�RHQe�ѡ8t8�</�c�|��
+<�<"	4�xI���H��,��^�@ɨ�N�H�8�l,#���\�Pa��pd�\B"�=< f5RN�<���@�\ry	,[x2��b���f�u�2�|�f�I^2gL�)&<y���t%#ˍ�&�̒�������5�<CM2:@)��xRi��dz?�<3�+���9j���Ph����*Yj�@]��0+�ex"������b��*]�@��4���Vj�̂�믏�"����e��"ڭW|��,�J2[R����9ͺ^�ȯHPcN��R	���P	�[=���<����
+K���0VK��+��M���Μ��1V���?��%#	��0+_�J?��L�#�(	��i���l�:@3�+$P0F�p�%֞z��U�#:K�%R�� e�L&I���,_ҩ,�T�3�,�,�Pojk=�'��X,R��� jߘ��L�9�R�2 $��s�%�cM�(N;3�0 �H2^$���z�3�AyT{�~� R�X�<4�lH�$�I.z,�# �e��TR@�����p�4��Ȏ��p#2��� �����m��?��[
+��*�X3���H�4�dr	#�d@�z��^�0����9ďq�P��A ^�C
+��AF vdB_0��Q�c�8���1.4+�p @z�C��	|�$�6��� A�����C��.l�(xG#�M#mQP�n(�Dta�(�0�@�H���+��N#�F�2�� �`� �@�
+  v!��PD!���4�J{�����H��(��	4 ���.��6 b#倀+$�P_��R^1v�m���	8�k|R�0" ����Pe��aT����R\!Xx|�@���Oj� ��3�A�f�!�A)g�-��L�IY�z �L�<�E3�@� @�#��F(уm4����N�
+x*%�PZ$PANJ�!�T@� �,d�vPD���k��PthR�����@�P  �v�C4n�����{\{f5�Ң<�-�QltB ��$p��Rt(��@3tM��=Y�? ��
+T - � *@1�A �qӛf�Ɩ��B�u&� AZ@�o� F E��W- ��Ġ��H�U���3 �&�@Ip�g�ae�J�Xe�8,�B��3��w��µFh�=��;�#�B(�c�B28�� �
+�`��R68�$ �y� �����!�B<0� �*$�  jCT�����<��@�!�$��A�?����6	̀@ja�8�6����=4qY���Zl��+��p�PE����g@ ���;�^��7�EHk���$�7	,NBxp��*�� ~[��g��W ��@bWA�@J�^M���F��E��PDF%@fă����t��LN�!� ���� ��� ˱O+z�k�$��� �p��{��d(�nӜZSTA ^P�75*;�i�C]�A�>41L=��=~� �aьf�7��w�z A�B�!`=sA ���?�p^#������S{.�.�N5��1��A'HDr� �2�έ�$ ��i�z|��rӅ����@ZPkF���xF*� �#���~��_����6�%k�� b��0�`�1� �t�k])HH�����o�7�j����Ns�0�_	�r��w�U�[�z|����L��X�?�@ ��
+m8G0pL#`Oz�a�/�b6�+�8�L���ыT@�ˌ��ɦ�5�o��=�O�.( ���\�@��P��V�E"�P:D<�I��Rq��0� h���c�ć���U����ͪZ!�;��H��0I��X�00
+����G���	��B�{9��ĕ��O:\9���x8BBq�}��9�B�k{a������j9_^FW��"���\�D9��,ܢ Z��"�p���b P�0�  pxUeU	�mu%D�^�jT� pu��Td  \05p���s� 
+5`v%�`y��k�Kp�7X�� �T���[a
+�`	}�8|�`vpS�*�\ `'�ɧQ��_��z��^��B�V`B��q�Fn%6��r��@ΐ������d���� |� @U%U���`�|u�%a� Y��^���]�f�U_cH�&�b\�Z-`��vʶ�p)�7�o�^a	���'|m@b�\�Q�`UUJC�P�@�k�\H-l��u� `F���f��% Ԩl�G����	T`wf��	I��� �� ���(qC� ,��& (����PH���lϘ���`zg��HF0��v����� �{h�`
+���؎@�����Yc��U��	�P
+Ѓ�-���;�P�-�:6��d.�k�`���o�&	s��HG���� u0m�wb �$�x�U%pu�@�P X��P @�P���-��q��;`}� c���>�^�w^��^;PԨ���)���T���p |X� +`65��8E ,���Bk k���� �}ݕgv�{Yz��ǆy�0����Ȋ�@9�c ��숕� y�[	��ׄ�vW'�d� u� ��	�@T�<�[n��@gq0nd����z�% }�fH�fj� ��L�И�F�	x��'�Y@�u "pS��HP�u%�Z�E���g�pHvG��ffmV��p`*xy ��Y 4��5�9�����   �@ �� C�p�etpSh� Ep�&�y<�VP
+k)��Pyٝ��'��d�����XXמ�����W�,ڢ� �G�b� �"ti�0T�UE���o�z�+ 0�	t�� {�;����A�}���X�����$
+�G�R�} É��t!	`p.����J pU"���gD�������
+��p�n0���aA���؅d`}Zb�)���(!}w�h���j�mЭ��!��%@��Scp
+�g�jH@��H��� 
+����< ���l�vi��p�ް���UP�@oע�+G؎��O �!� mߤAj�А [s���@LP ���P��p�)~�0���������	]�Z@؊�Bhi�J �J0hpU�����uY�^Ho w+���Q@n��t&ӈ����0���N�۠nP�ܺ�u�� �(p��Z�H�W�*F[�V��7�9 ��8�p��5�h#��p�pU�- 
+��.��YiU ` x�!�����mgPX���h�^K���z�ݐ�^��ff�j� 	��o�p
+N@��DK���z�`_� M�(��@�z��Zt�Sp�a��{��P
+0Y 0�X���@���F��^H���г.�
+ګ i���X)	+ @ 5�����K��	Se���	����L�̠�*��T`�) �J�f��^�0L�0AP�u\PT -
+x�J���JP�u5'�� ��ƅ���0�k@T	��GՐ\�����P
+��7! 1� ���Ģj ����0� ��$S�P����p�������	Lp@���a��.��) 9 �9��QpV ���M+�(p��Yhp����y���m������������p��pm�}p��  (� �K��	S,�5@�]��Z\���x�y��T0Y�A��� e5��,� �\��J�P�Z�US���j��Kʿ��j���*������������ʃ�*\U� y�\r��^����v4�) ������a
+B�s   +�Ű��V	���j
+a	a��[,u�i��i�QPZp�8���v �������|����O��� �n��Кѯ�~�Y�����	��H I���V@D���M��Oд(�`U`	`�Qgp�,!;Ω��t�J
+�
+����P-� @�Э-� ����5p�P��(=<`	| H�PP��r&(�)����n���`	d�A | �0�i���� �`���K��XɥEh��<����L�y������P �Z��P ���?'	�(�O�Q���Xu��O�jA�XI��� P :�����iʎܝ��o���ŀޏE�߄ �{dP�i���pL4���U@���跦�����ʀ��J�4Hp��O�	sK���������g�ђ`��ݭ�M�~��P
+L;��,:m�Υ 0�ׅj �ݐJ�,M��@
+���m��L��m�w�,�O@�	�u�
+ �p�Q��h�y����7��)������M�'��
+���C@��n���) ��B��^���=�y0���E����u�&��b����������cJIjP &nͫ���*����� ��
+p����
+�j���;� P� �'Kiy�Q� P�혋��J^쒰S,��	F�ـrp�Qg�DP
+I�F@I��������g�� 	Z0�O��+�U��c���n؅#��P
+MZ�d��.Z�p��~�2OzpSP��aj>I��
+���Nc��ŉώ-���-
+����`�]`��>]9���=�0��������� M�����0�ͱ �rc��!
+�����L	��x	+P�GQ��! �n�V`��	�#}�KVp���مy����u`�,�� ۭN���Ǣ��G�%� ��U,�
+"!ع/~̿Z (��2K�������?�����+��	�L �`�ߠ���K������K|H*W���6�~=y�k]��$��O���!ϰ����I�)U���M �g1eΜ�CH�qZ��F�")�u���{,�.e���S�Q�N�Z��U�(�݀�"���s�5��HO0^|��I B6�sTV������=fB�$1��A���9�Ѣ)�@�[��e̙5o��oEY��H�:t���,�UK��S*B*�3����*��M�d�T��ǎ@��y�6�[�o��O�^��u�0��rڻW�*�e;�$�0B&*�:����w��f@��P�Q�Fy;4�@�ɁI���4+�"�"�0ɒ�B"@�k���B�	�4������t�Ec�j�"��
+����uT�0#FL���D*!�� CD&g��� ���IF,��RFJ�"-�QǳXmB�0�1fS`&��vh��q&��,
+��ha�-5���Pa���"J�e�$��6~9s�'\;��B��K����3�!��aP��j�F\�s7!Q\sՕ)]��U�Ђ��t�h<�Բ�>���+���f`��>Z��
+�I"� X�I�6�r�g�Ā�vu�]]�	�E~-�H�i�;Q��'�1�*�]����Ι ���^�h�ڙ&p�ܡ�Lw�ܹ^�Cv @J{gѢ��B�ي��AM�"�T�DD�B��a�@p��$�����=]`���Xd����m"��W(�(@ҳ�9S�',\�M7�@��P	h�Z �������>���N��2>tQo�3~a�r�4G��1�Y�@R%S�8\���0��g�al�oZ ����	��$c ]���ƅ5h�c��s׽�����_a7(�)��
+%�~��[	��@cm�+D���2P��w�@�R���p\����* �<��E0�T7���t#(x�DP�۬$����vAM�P��V�(*��� 0v�['r �O���D�4T/_�T1 @*�t��0���@��<��p� �N���!t�M��!.�
+pB}��B7P��P�����8������ �� �aE�Zw!'�|�d
+h�z�8i�@�[L*X7��' 6P������3.7FL���i`�XP�g�1mhAEP����@��;�!`�;�lQH��$Uo���AD��������#�˄W8P=" 
+���l@����,ѣT` K�`C��^���2&�B�1� �F��6 �nx��J#1��0S��j�E�+"nb����0��]hIɮgs�I�E��5��� HBٗ{�#X`�:@��J8� �KT�2z�	Kؠ|h�5뵋���q)�3�`�����3�*P�( �0�	"�!zA�^�oB�#�P�mt`k�B
+�� �;嫌�����K6 �n���2�)�T�D�������3 7l@p߈�  i�iA�`%�H�\�Gh��:��hDJ����U���3�4_	�u�-���X %��`��z�?x@�ͺ�OE��2�1c��Xs���'�	F��n݋Mg�2AhXT oe	�ˑS$"��,+�Ѐ
+ü�3�����&���� ,Bj���"�P  ��#�L�F���m p��ħtB��㮞�^lb��L�P�]�p�I`��cg���q�� Jb(k��,�XP�74q,X,SL�l�@�B �x13`�~� � I��
+H�e<_�#���	x�e��a}J$p��>�Ђ3��f,Hb	�!C���%�����&��g�*ϣΊ)Ny� 	�6���T @���7z
+ؕ(i^s�&
+=��}b��H}�`�ʳi  ��j�/�M� ����9��7v�"L 	��GI=I.:�
+/Av���0�v �5���S�t)� Z��g��p�����c}��/��#��FpB�swś
+��$}hcQ�ͨT����7���<�P�O0A�50��X��lq��~nJ����?�7*��EWp�Z�Ba9J���2�H�@�s���ԉ�~ߴBE� ��6�r������8܊��r�	Ha�sނ�k�	�/�t�o��[<�3�>$t�k�;,��W�{ş 7��ihΠ@rd?�e���������A J�F0;�|�#���5��:�+��y��J'�����8BJA|.�Y@�G�%�./��Mg�-+~���X`@L����6��k��K��S�h	�@��
+�XF:@bJ�h:#s4Nx)* <������Q�N94N�<��:X�#p��s��S���R���S��q�H4$��R�C˸�P���8�-x��+��n��������CXA(そ� ��7A ߫�o��Ah��#!o��(8��Xn؀#B���@�	D18.�8?` �4�q����p(��Ɂ8�����h�Ð:�2�;� dCg�&��p�5,&�B;�+��7ߪ2+Ä\�(�BCd�n���<ৢ����H�+1`�0�����$"|!h�5��<�m�,�q�зU\�N���!h(��)���D�O$�*D�� }�'&h�b�`%0XF�.P�À��0A6��x�b�*�od�o��q��?@,�Z#�C�*x�j��,�Bt���|d�*  � �8�#�B��(�o(p�wl�(؆5Ѐ�Ɖ\&P�0x6:�J�g,�g��j$�<�[0����Ĥp�*@>�7��b$B� &IMk��
+�� (�1b;H��b1�:������Ɍ�Bw������H�P�7�ĉ8-�C��$#��$���/�Qb�?���+�:p��F/ڍC� $L��8��:(�+ʨ,�$�n(�E��o�-̌(`��t��̧�H�Cˢp�!lM����H�ߢM��D���EC�A�J��L��j�&$L:� ��F,|\N����/A{5��5P��Ă(p����jF_������O�N�K�Z����i�M��OC��F�D�'˟b�� �"��@8P�	0K�lP�НĂ`M
+�1Ȁ�:���O��DK����;�R�1ؿ��v��n� U|�]�M؅�oX���I�MuSHy �&} ��O\��l�\1�;(�.���j�<��9��e��$4.%���O*�5ŕN�k�@��E�P6L��SC���+ö;���4�F�;B5����<�;�����D�TL�0d�!����|�8ȁ�<�Eh�OE�PE�"��SQZ �w,��|U.�Ӑ@_�68 a�W��,M,X�4���@�6��] �"8�+@�H}[� ��'!�VY�X�;(%��Y @M;
+q}=�8�Ut�6��H��MHS�:
+��x���;����s�%9П�TS-� �́5��`(88�]�#&L�O�INpъ-���-��X���$X��ؒՌ�H�8 Sb�{U7� ��4
+hؙ�N�	���U::��|�%:��) e���=��(�Iq}.( �Y����" �6؅@�mXFu����g-[�(Zf ��"ˁm�5x8�Z��]H�jb:���ˁ���,
+*���ōM��P\&< ��x}�?�������-�����x}X؁�����f��18�YZ8���t�]�����-ú���P�Y��
+�4:�*6`�o`�<��m^���X	���]��d��� Q�HX�^���Z8�Y( & ���h�R�]ٲ%�`���
+ �,���ד�Ƌ��ڍ�u��g؄�ଘ���,�C0�
+4_�Y�ފ���
+T@`���P�(�av��k�!��P8 E�a"N	����-���>̯+a&�b���+�h�b-�I�_��������1�_�0��A�)&c
+4�v��-��I�ܥ�""�J8c=>�;	���@n���4H��Fa�D.]1��E怨�I>�.���d@����1Ѕ =��%&eW~eX�eY�eZ�e[�e\�e]�e^�e_�e`fafb.fc>fdNfe^ffnfg~fh�fi�fj�fk�fl�fm�fn�fo�fpgqgr.gs>gtNgu^gvngw~gt ;
\ Kein Zeilenumbruch am Dateiende.
diff -Nura php-5.1.4/ext/gd/tests/bug37360.phpt hardening-patch-5.1.4-0.4.15/ext/gd/tests/bug37360.phpt
--- php-5.1.4/ext/gd/tests/bug37360.phpt	1970-01-01 01:00:00.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/gd/tests/bug37360.phpt	2006-09-05 20:31:02.000000000 +0200
@@ -0,0 +1,14 @@
+--TEST--
+Bug #37360 (gdimagecreatefromgif, bad image sizes)
+--SKIPIF--
+<?php 
+	if (!extension_loaded('gd')) die("skip gd extension not available\n"); 
+	if (!GD_BUNDLED) die('skip external GD libraries always fail');
+?>
+--FILE--
+<?php
+$im = imagecreatefromgif(dirname(__FILE__) . '/bug37360.gif');
+var_dump($im);
+?>
+--EXPECTF--
+resource(%d) of type (gd)
diff -Nura php-5.1.4/ext/imap/php_imap.c hardening-patch-5.1.4-0.4.15/ext/imap/php_imap.c
--- php-5.1.4/ext/imap/php_imap.c	2006-01-28 09:07:20.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/imap/php_imap.c	2006-09-05 20:31:02.000000000 +0200
@@ -26,7 +26,7 @@
    | PHP 4.0 updates:  Zeev Suraski <zeev@zend.com>                       |
    +----------------------------------------------------------------------+
  */
-/* $Id: php_imap.c,v 1.208.2.7 2006/01/28 08:07:20 mike Exp $ */
+/* $Id: php_imap.c,v 1.208.2.8 2006/08/04 20:31:41 iliaa Exp $ */
 
 #define IMAP41
 
@@ -761,6 +761,13 @@
 		efree(IMAPG(imap_password));
 	}
 
+	/* local filename, need to perform open_basedir and safe_mode checks */
+	if (Z_STRVAL_PP(mailbox)[0] != '{' && 
+			(php_check_open_basedir(Z_STRVAL_PP(mailbox) TSRMLS_CC) || 
+			(PG(safe_mode) && !php_checkuid(Z_STRVAL_PP(mailbox), NULL, CHECKUID_CHECK_FILE_AND_DIR)))) {
+		RETURN_FALSE;
+	}
+
 	IMAPG(imap_user)     = estrndup(Z_STRVAL_PP(user), Z_STRLEN_PP(user));
 	IMAPG(imap_password) = estrndup(Z_STRVAL_PP(passwd), Z_STRLEN_PP(passwd));
 
diff -Nura php-5.1.4/ext/mysql/php_mysql.c hardening-patch-5.1.4-0.4.15/ext/mysql/php_mysql.c
--- php-5.1.4/ext/mysql/php_mysql.c	2006-01-01 13:50:09.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/mysql/php_mysql.c	2006-09-05 20:31:02.000000000 +0200
@@ -1231,6 +1231,8 @@
 {
 	php_mysql_conn *mysql;
 	MYSQL_RES *mysql_result;
+	char *copy_query;
+	int i;
 	
 	ZEND_FETCH_RESOURCE2(mysql, php_mysql_conn *, mysql_link, link_id, "MySQL-Link", le_link, le_plink);
 	
@@ -1281,6 +1283,13 @@
 				php_error_docref("http://www.mysql.com/doc" TSRMLS_CC, E_WARNING, "%s", mysql_error(&mysql->conn)); 
 			}
 		}
+		copy_query = estrdup(Z_STRVAL_PP(query));
+		for (i=0; copy_query[i]; i++) if (copy_query[i] < 32) copy_query[i]='.';
+		php_security_log(S_SQL, "MySQL error: %s - query: %s", mysql_error(&mysql->conn), copy_query);
+		efree(copy_query);
+		if (HG(hphp_sql_bailout_on_error)) {
+			zend_bailout();
+		}
 		RETURN_FALSE;
 	}
 #else
@@ -1291,6 +1300,13 @@
 				php_error_docref("http://www.mysql.com/doc" TSRMLS_CC, E_WARNING, "%s", mysql_error(&mysql->conn)); 
 			}
 		}
+		copy_query = estrdup(Z_STRVAL_PP(query));
+		for (i=0; copy_query[i]; i++) if (copy_query[i] < 32) copy_query[i]='.';
+		php_security_log(S_SQL, "MySQL error: %s - query: %s", mysql_error(&mysql->conn), copy_query);
+		efree(copy_query);
+		if (HG(hphp_sql_bailout_on_error)) {
+			zend_bailout();
+		}
 		RETURN_FALSE;
 	}
 #endif
diff -Nura php-5.1.4/ext/mysqli/mysqli_nonapi.c hardening-patch-5.1.4-0.4.15/ext/mysqli/mysqli_nonapi.c
--- php-5.1.4/ext/mysqli/mysqli_nonapi.c	2006-03-24 10:32:24.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/mysqli/mysqli_nonapi.c	2006-09-05 20:31:02.000000000 +0200
@@ -184,6 +184,17 @@
 	if (mysql_real_query(mysql->mysql, query, query_len)) {
 		char s_error[MYSQL_ERRMSG_SIZE], s_sqlstate[SQLSTATE_LENGTH+1];
 		unsigned int s_errno;
+#if HARDENING_PATCH
+		char *query_copy = estrdup(query);
+		int i;
+		
+		for (i=0; query_copy[i]; i++) if (query_copy[i]<32) query_copy[i]='.';
+		php_security_log(S_SQL, "MySQLi error: %s - query: %s", mysql->mysql->net.last_error, query_copy);
+		efree(query_copy);
+		if (HG(hphp_sql_bailout_on_error)) {
+			zend_bailout();
+		}
+#endif
 		MYSQLI_REPORT_MYSQL_ERROR(mysql->mysql);
 
 		/* we have to save error information, cause 
@@ -234,6 +245,17 @@
 	MYSQLI_DISABLE_MQ;
 
 	if (mysql_real_query(mysql->mysql, query, query_len)) {
+#if HARDENING_PATCH
+		char *query_copy = estrdup(query);
+		int i;
+		
+		for (i=0; query_copy[i]; i++) if (query_copy[i]<32) query_copy[i]='.';
+		php_security_log(S_SQL, "MySQLi error: %s - query: %s", mysql->mysql->net.last_error, query_copy);
+		efree(query_copy);
+		if (HG(hphp_sql_bailout_on_error)) {
+			zend_bailout();
+		}
+#endif
 		MYSQLI_REPORT_MYSQL_ERROR(mysql->mysql);
 		RETURN_FALSE;
 	}
diff -Nura php-5.1.4/ext/pgsql/pgsql.c hardening-patch-5.1.4-0.4.15/ext/pgsql/pgsql.c
--- php-5.1.4/ext/pgsql/pgsql.c	2006-04-10 21:51:55.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/ext/pgsql/pgsql.c	2006-09-05 20:31:04.000000000 +0200
@@ -1152,10 +1152,28 @@
 		case PGRES_EMPTY_QUERY:
 		case PGRES_BAD_RESPONSE:
 		case PGRES_NONFATAL_ERROR:
-		case PGRES_FATAL_ERROR:
-			PHP_PQ_ERROR("Query failed: %s", pgsql);
-			PQclear(pgsql_result);
-			RETURN_FALSE;
+		case PGRES_FATAL_ERROR: 
+			{
+#if HARDENING_PATCH
+				int i;
+				char *query_copy;
+#endif				
+				char *msgbuf = _php_pgsql_trim_message(PQerrorMessage(pgsql), NULL);
+				PQclear(pgsql_result);
+#if HARDENING_PATCH
+				query_copy = estrdup(Z_STRVAL_PP(query));
+				for (i=0; query_copy[i]; i++) if (query_copy[i]<32) query_copy[i]='.';
+				php_security_log(S_SQL, "PgSQL error: %s - query: %s", msgbuf, query_copy);
+				efree(query_copy);
+				if (HG(hphp_sql_bailout_on_error)) {
+					efree(msgbuf);
+					zend_bailout();
+				}
+#endif				
+				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Query failed: %s", msgbuf);
+				efree(msgbuf);
+				RETURN_FALSE;
+			}
 			break;
 		case PGRES_COMMAND_OK: /* successful command that did not return rows */
 		default:
diff -Nura php-5.1.4/ext/session/mod_files.c hardening-patch-5.1.4-0.4.15/ext/session/mod_files.c
--- php-5.1.4/ext/session/mod_files.c	2006-04-18 02:31:45.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/ext/session/mod_files.c	2006-09-05 20:31:04.000000000 +0200
@@ -152,6 +152,7 @@
 		
 		if (!ps_files_valid_key(key)) {
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'");
+			PS(invalid_session_id) = 1;
 			return;
 		}
 		if (!ps_files_path_create(buf, sizeof(buf), data, key))
@@ -401,7 +402,12 @@
 		ps_files_close(data);
 	
 		if (VCWD_UNLINK(buf) == -1) {
-			return FAILURE;
+			/* This is a little safety check for instances when we are dealing with a regenerated session
+			 * that was not yet written to disk
+			 */
+			if (!VCWD_ACCESS(buf, F_OK)) {
+				return FAILURE;
+			}
 		}
 	}
 
@@ -422,6 +428,35 @@
 	return SUCCESS;
 }
 
+PS_VALIDATE_SID_FUNC(files)
+{
+	char buf[MAXPATHLEN];
+	int fd;
+	PS_FILES_DATA;
+
+	if (!ps_files_valid_key(key)) {
+                return FAILURE;
+        }
+        
+        if (!PS(use_strict_mode)) {
+                return SUCCESS;
+        }
+	
+        if (!ps_files_path_create(buf, sizeof(buf), data, key)) {
+		return FAILURE;
+        }
+	
+        fd = VCWD_OPEN_MODE(buf, O_RDWR | O_BINARY, 
+				data->filemode);
+	
+        if (fd != -1) {
+                close(fd);
+                return SUCCESS;
+        }
+        
+	return FAILURE;
+}
+
 /*
  * Local variables:
  * tab-width: 4
diff -Nura php-5.1.4/ext/session/mod_mm.c hardening-patch-5.1.4-0.4.15/ext/session/mod_mm.c
--- php-5.1.4/ext/session/mod_mm.c	2006-01-01 13:50:12.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/session/mod_mm.c	2006-09-05 20:31:04.000000000 +0200
@@ -425,6 +425,42 @@
 	return SUCCESS;
 }
 
+PS_VALIDATE_SID_FUNC(mm)
+{
+	PS_MM_DATA;
+	ps_sd *sd;
+	const char *p;
+	char c;
+	int ret = SUCCESS;
+
+	for (p = key; (c = *p); p++) {
+		/* valid characters are a..z,A..Z,0..9 */
+		if (!((c >= 'a' && c <= 'z')
+				|| (c >= 'A' && c <= 'Z')
+				|| (c >= '0' && c <= '9')
+				|| c == ','
+				|| c == '-')) {
+			return FAILURE;
+		}
+	}
+
+        if (!PS(use_strict_mode)) {
+                return SUCCESS;
+        }
+
+	mm_lock(data->mm, MM_LOCK_RD);
+	
+	sd = ps_sd_lookup(data, key, 0);
+	if (sd) {
+	        mm_unlock(data->mm);
+		return SUCCESS;
+	}
+
+	mm_unlock(data->mm);
+	
+	return FAILURE;
+}
+
 #endif
 
 /*
diff -Nura php-5.1.4/ext/session/mod_user.c hardening-patch-5.1.4-0.4.15/ext/session/mod_user.c
--- php-5.1.4/ext/session/mod_user.c	2006-01-01 13:50:12.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/session/mod_user.c	2006-09-05 20:31:04.000000000 +0200
@@ -23,7 +23,7 @@
 #include "mod_user.h"
 
 ps_module ps_mod_user = {
-	PS_MOD(user)
+	PS_MOD_SID(user)
 };
 
 #define SESS_ZVAL_LONG(val, a) 					\
@@ -174,6 +174,83 @@
 	FINISH;
 }
 
+PS_CREATE_SID_FUNC(user)
+{
+	int i;
+        char *val = NULL;
+	zval *retval;
+	ps_user *mdata = PS_GET_MOD_DATA();
+	
+        if (!mdata)
+		return estrndup("", 0);
+
+        if (PSF(create) == NULL || ZVAL_IS_NULL(PSF(create))) {
+                return php_session_create_id(mod_data, newlen TSRMLS_CC);
+        }
+	retval = ps_call_handler(PSF(create), 0, NULL TSRMLS_CC);
+
+	if (retval) {
+		if (Z_TYPE_P(retval) == IS_STRING) {
+			val = estrndup(Z_STRVAL_P(retval), Z_STRLEN_P(retval));
+		} else {
+                        val = estrndup("", 0);
+                }
+		zval_ptr_dtor(&retval);
+	} else {
+                val = estrndup("", 0);
+        }
+        
+        return val;
+}
+
+static int ps_user_valid_key(const char *key TSRMLS_DC)
+{
+	size_t len;
+	const char *p;
+	char c;
+	int ret = SUCCESS;
+
+	for (p = key; (c = *p); p++) {
+		/* valid characters are a..z,A..Z,0..9 */
+		if (!((c >= 'a' && c <= 'z')
+				|| (c >= 'A' && c <= 'Z')
+				|| (c >= '0' && c <= '9')
+				|| c == ','
+				|| c == '-')) {
+			ret = FAILURE;
+			break;
+		}
+	}
+
+	len = p - key;
+	
+	if (len == 0)
+		ret = FAILURE;
+	
+	return ret;
+}
+
+PS_VALIDATE_SID_FUNC(user)
+{
+	zval *args[1];
+	STDVARS;
+
+        if (PSF(validate) == NULL || ZVAL_IS_NULL(PSF(validate))) {
+                return ps_user_valid_key(key TSRMLS_CC);
+        }
+	SESS_ZVAL_STRING(key, args[0]);
+
+	retval = ps_call_handler(PSF(validate), 1, args TSRMLS_CC);
+
+	if (retval) {
+		convert_to_long(retval);
+		ret = Z_LVAL_P(retval) ? SUCCESS : FAILURE;
+		zval_ptr_dtor(&retval);
+	}
+        
+        return ret;
+}
+
 /*
  * Local variables:
  * tab-width: 4
diff -Nura php-5.1.4/ext/session/mod_user.h hardening-patch-5.1.4-0.4.15/ext/session/mod_user.h
--- php-5.1.4/ext/session/mod_user.h	2006-01-01 13:50:12.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/session/mod_user.h	2006-09-05 20:31:04.000000000 +0200
@@ -22,7 +22,7 @@
 #define MOD_USER_H
 
 typedef union {
-	zval *names[6];
+	zval *names[8];
 	struct {
 		zval *ps_open;
 		zval *ps_close;
@@ -30,6 +30,8 @@
 		zval *ps_write;
 		zval *ps_destroy;
 		zval *ps_gc;
+                zval *ps_create;
+                zval *ps_validate;
 	} name;
 } ps_user;
 
diff -Nura php-5.1.4/ext/session/php_session.h hardening-patch-5.1.4-0.4.15/ext/session/php_session.h
--- php-5.1.4/ext/session/php_session.h	2006-01-28 07:14:49.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/session/php_session.h	2006-09-05 20:31:04.000000000 +0200
@@ -23,7 +23,7 @@
 
 #include "ext/standard/php_var.h"
 
-#define PHP_SESSION_API 20020330
+#define PHP_SESSION_API 20051121
 
 #define PS_OPEN_ARGS void **mod_data, const char *save_path, const char *session_name TSRMLS_DC
 #define PS_CLOSE_ARGS void **mod_data TSRMLS_DC
@@ -32,6 +32,7 @@
 #define PS_DESTROY_ARGS void **mod_data, const char *key TSRMLS_DC
 #define PS_GC_ARGS void **mod_data, int maxlifetime, int *nrdels TSRMLS_DC
 #define PS_CREATE_SID_ARGS void **mod_data, int *newlen TSRMLS_DC
+#define PS_VALIDATE_SID_ARGS void **mod_data, const char *key TSRMLS_DC
 
 /* default create id function */
 PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS);
@@ -45,6 +46,7 @@
 	int (*s_destroy)(PS_DESTROY_ARGS);
 	int (*s_gc)(PS_GC_ARGS);
 	char *(*s_create_sid)(PS_CREATE_SID_ARGS);
+        int (*s_validate_sid)(PS_VALIDATE_SID_ARGS);
 } ps_module;
 
 #define PS_GET_MOD_DATA() *mod_data
@@ -57,6 +59,7 @@
 #define PS_DESTROY_FUNC(x) 	int ps_delete_##x(PS_DESTROY_ARGS)
 #define PS_GC_FUNC(x) 		int ps_gc_##x(PS_GC_ARGS)
 #define PS_CREATE_SID_FUNC(x)	char *ps_create_sid_##x(PS_CREATE_SID_ARGS)
+#define PS_VALIDATE_SID_FUNC(x)	int ps_validate_sid_##x(PS_VALIDATE_SID_ARGS)
 
 #define PS_FUNCS(x) \
 	PS_OPEN_FUNC(x); \
@@ -65,11 +68,12 @@
 	PS_WRITE_FUNC(x); \
 	PS_DESTROY_FUNC(x); \
 	PS_GC_FUNC(x);	\
-	PS_CREATE_SID_FUNC(x)
+	PS_CREATE_SID_FUNC(x); \
+        PS_VALIDATE_SID_FUNC(x)
 
 #define PS_MOD(x) \
 	#x, ps_open_##x, ps_close_##x, ps_read_##x, ps_write_##x, \
-	 ps_delete_##x, ps_gc_##x, php_session_create_id
+	 ps_delete_##x, ps_gc_##x, php_session_create_id, ps_validate_sid_##x
 
 /* SID enabled module handler definitions */
 #define PS_FUNCS_SID(x) \
@@ -79,11 +83,12 @@
 	PS_WRITE_FUNC(x); \
 	PS_DESTROY_FUNC(x); \
 	PS_GC_FUNC(x); \
-	PS_CREATE_SID_FUNC(x)
+	PS_CREATE_SID_FUNC(x); \
+        PS_VALIDATE_SID(x)
 
 #define PS_MOD_SID(x) \
 	#x, ps_open_##x, ps_close_##x, ps_read_##x, ps_write_##x, \
-	 ps_delete_##x, ps_gc_##x, ps_create_sid_##x
+	 ps_delete_##x, ps_gc_##x, ps_create_sid_##x, ps_validate_sid_##x
 
 typedef enum {
 	php_session_disabled,
@@ -120,11 +125,13 @@
 	zend_bool use_only_cookies;
 	zend_bool use_trans_sid;	/* contains the INI value of whether to use trans-sid */
 	zend_bool apply_trans_sid;	/* whether or not to enable trans-sid for the current request */
+        zend_bool use_strict_mode;      /* whether or not PHP accepts unknown session ids */
 
 	long hash_func;
 	long hash_bits_per_character;
 	int send_cookie;
 	int define_sid;
+	zend_bool invalid_session_id;	/* allows the driver to report about an invalid session id and request id regeneration */
 } php_ps_globals;
 
 typedef php_ps_globals zend_ps_globals;
diff -Nura php-5.1.4/ext/session/session.c hardening-patch-5.1.4-0.4.15/ext/session/session.c
--- php-5.1.4/ext/session/session.c	2006-02-10 08:39:13.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/session/session.c	2006-09-05 20:31:04.000000000 +0200
@@ -166,6 +166,7 @@
 	STD_PHP_INI_BOOLEAN("session.cookie_secure",    "",          PHP_INI_ALL, OnUpdateBool,   cookie_secure,      php_ps_globals,    ps_globals)
 	STD_PHP_INI_BOOLEAN("session.use_cookies",      "1",         PHP_INI_ALL, OnUpdateBool,   use_cookies,        php_ps_globals,    ps_globals)
 	STD_PHP_INI_BOOLEAN("session.use_only_cookies", "0",         PHP_INI_ALL, OnUpdateBool,   use_only_cookies,   php_ps_globals,    ps_globals)
+	STD_PHP_INI_BOOLEAN("session.use_strict_mode",  "1",         PHP_INI_ALL, OnUpdateBool,   use_strict_mode,    php_ps_globals,    ps_globals)
 	STD_PHP_INI_ENTRY("session.referer_check",      "",          PHP_INI_ALL, OnUpdateString, extern_referer_chk, php_ps_globals,    ps_globals)
 	STD_PHP_INI_ENTRY("session.entropy_file",       "",          PHP_INI_ALL, OnUpdateString, entropy_file,       php_ps_globals,    ps_globals)
 	STD_PHP_INI_ENTRY("session.entropy_length",     "0",         PHP_INI_ALL, OnUpdateLong,    entropy_length,     php_ps_globals,    ps_globals)
@@ -280,9 +281,13 @@
 PHPAPI void php_add_session_var(char *name, size_t namelen TSRMLS_DC)
 {
 	zval **sym_track = NULL;
-	
-	zend_hash_find(Z_ARRVAL_P(PS(http_session_vars)), name, namelen + 1, 
-			(void *) &sym_track);
+
+	IF_SESSION_VARS() {
+		zend_hash_find(Z_ARRVAL_P(PS(http_session_vars)), name, namelen + 1, 
+				(void *) &sym_track);
+	} else {
+		return;
+	}
 
 	/*
 	 * Set up a proper reference between $_SESSION["x"] and $x.
@@ -758,9 +763,23 @@
 		return;
 	}
 	
+        /* If there is an ID, use session module to verify it */
+        if (PS(id)) {
+                if (PS(mod)->s_validate_sid(&PS(mod_data), PS(id) TSRMLS_CC) == FAILURE) {
+                        efree(PS(id));
+                        PS(id) = NULL;
+                        PS(send_cookie) = 1;
+                }
+        }
+        
 	/* If there is no ID, use session module to create one */
-	if (!PS(id))
+	if (!PS(id)) {
+new_session:
 		PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);
+		if (PS(use_cookies)) {
+			PS(send_cookie) = 1;
+		}
+	}
 	
 	/* Read data */
 	/* Question: if you create a SID here, should you also try to read data?
@@ -769,9 +788,14 @@
 	 * session information
 	 */
 	php_session_track_init(TSRMLS_C);
+	PS(invalid_session_id) = 0;
 	if (PS(mod)->s_read(&PS(mod_data), PS(id), &val, &vallen TSRMLS_CC) == SUCCESS) {
 		php_session_decode(val, vallen TSRMLS_CC);
 		efree(val);
+	} else if (PS(invalid_session_id)) { /* address instances where the session read fails due to an invalid id */
+		PS(invalid_session_id) = 0;
+		efree(PS(id));
+		goto new_session;
 	}
 }
 
@@ -1377,22 +1401,29 @@
 }
 /* }}} */
 
-/* {{{ proto void session_set_save_handler(string open, string close, string read, string write, string destroy, string gc)
+/* {{{ proto void session_set_save_handler(string open, string close, string read, string write, string destroy, string gc[, string create, string validate])
    Sets user-level functions */
 PHP_FUNCTION(session_set_save_handler)
 {
-	zval **args[6];
-	int i;
+	zval **args[8];
+	int i, numargs;
 	ps_user *mdata;
 	char *name;
 
-	if (ZEND_NUM_ARGS() != 6 || zend_get_parameters_array_ex(6, args) == FAILURE)
+        numargs = ZEND_NUM_ARGS();
+        args[6] = NULL;
+        args[7] = NULL;
+        
+	if (numargs < 6 || numargs > 8 || zend_get_parameters_array_ex(numargs, args) == FAILURE)
 		WRONG_PARAM_COUNT;
 	
 	if (PS(session_status) != php_session_none) 
 		RETURN_FALSE;
 	
-	for (i = 0; i < 6; i++) {
+	for (i = 0; i < 8; i++) {
+                if (i >= 6 && (args[i] == NULL || ZVAL_IS_NULL(*args[i]))) {
+                        continue;
+                }
 		if (!zend_is_callable(*args[i], 0, &name)) {
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Argument %d is not a valid callback", i+1);
 			efree(name);
@@ -1405,7 +1436,11 @@
 
 	mdata = emalloc(sizeof(*mdata));
 	
-	for (i = 0; i < 6; i++) {
+	for (i = 0; i < 8; i++) {
+                if (i >= 6 && (args[i] == NULL || ZVAL_IS_NULL(*args[i]))) {
+                        mdata->names[i] = NULL;
+                        continue;
+                }
 		ZVAL_ADDREF(*args[i]);
 		mdata->names[i] = *args[i];
 	}
@@ -1475,6 +1510,11 @@
 		WRONG_PARAM_COUNT;
 	}
 
+	if (SG(headers_sent)) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot regenerate session id - headers already sent");
+		RETURN_FALSE;
+	}
+
 	if (PS(session_status) == php_session_active) {
 		if (PS(id)) {
 			if (del_ses && PS(mod)->s_destroy(&PS(mod_data), PS(id) TSRMLS_CC) == FAILURE) {
@@ -1531,8 +1571,8 @@
 		WRONG_PARAM_COUNT;
 
 	if (ac == 1) {
-		convert_to_long_ex(p_cache_expire);
-		PS(cache_expire) = Z_LVAL_PP(p_cache_expire);
+		convert_to_string_ex(p_cache_expire);
+		zend_alter_ini_entry("session.cache_expire", sizeof("session.cache_expire"), Z_STRVAL_PP(p_cache_expire), Z_STRLEN_PP(p_cache_expire), ZEND_INI_USER, ZEND_INI_STAGE_RUNTIME);
 	}
 
 	RETVAL_LONG(old);
diff -Nura php-5.1.4/ext/session/tests/014.phpt hardening-patch-5.1.4-0.4.15/ext/session/tests/014.phpt
--- php-5.1.4/ext/session/tests/014.phpt	2005-07-04 15:09:14.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/ext/session/tests/014.phpt	2006-09-05 20:31:04.000000000 +0200
@@ -5,6 +5,7 @@
 --INI--
 session.use_trans_sid=1
 session.use_cookies=0
+session.use_strict_mode=0
 session.cache_limiter=
 register_globals=1
 session.bug_compat_42=1
diff -Nura php-5.1.4/ext/session/tests/015.phpt hardening-patch-5.1.4-0.4.15/ext/session/tests/015.phpt
--- php-5.1.4/ext/session/tests/015.phpt	2005-07-04 15:09:14.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/ext/session/tests/015.phpt	2006-09-05 20:31:04.000000000 +0200
@@ -5,6 +5,7 @@
 --INI--
 session.use_trans_sid=1
 session.use_cookies=0
+session.use_strict_mode=0
 session.cache_limiter=
 arg_separator.output=&
 session.name=PHPSESSID
diff -Nura php-5.1.4/ext/session/tests/018.phpt hardening-patch-5.1.4-0.4.15/ext/session/tests/018.phpt
--- php-5.1.4/ext/session/tests/018.phpt	2005-07-04 15:09:14.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/ext/session/tests/018.phpt	2006-09-05 20:31:04.000000000 +0200
@@ -4,6 +4,7 @@
 <?php include('skipif.inc'); ?>
 --INI--
 session.use_cookies=0
+session.use_strict_mode=0
 session.cache_limiter=
 session.use_trans_sid=1
 session.name=PHPSESSID
diff -Nura php-5.1.4/ext/session/tests/019.phpt hardening-patch-5.1.4-0.4.15/ext/session/tests/019.phpt
--- php-5.1.4/ext/session/tests/019.phpt	2005-07-04 15:09:14.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/ext/session/tests/019.phpt	2006-09-05 20:31:04.000000000 +0200
@@ -4,6 +4,7 @@
 <?php include('skipif.inc'); ?>
 --INI--
 session.use_cookies=0
+session.use_strict_mode=0
 session.cache_limiter=
 register_globals=1
 session.serialize_handler=php
diff -Nura php-5.1.4/ext/session/tests/020.phpt hardening-patch-5.1.4-0.4.15/ext/session/tests/020.phpt
--- php-5.1.4/ext/session/tests/020.phpt	2005-07-04 15:09:14.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/ext/session/tests/020.phpt	2006-09-05 20:31:04.000000000 +0200
@@ -4,6 +4,7 @@
 <?php include('skipif.inc'); ?>
 --INI--
 session.use_cookies=0
+session.use_strict_mode=0
 session.cache_limiter=
 session.use_trans_sid=1
 arg_separator.output=&amp;
diff -Nura php-5.1.4/ext/session/tests/021.phpt hardening-patch-5.1.4-0.4.15/ext/session/tests/021.phpt
--- php-5.1.4/ext/session/tests/021.phpt	2005-07-04 15:09:14.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/ext/session/tests/021.phpt	2006-09-05 20:31:04.000000000 +0200
@@ -4,6 +4,7 @@
 <?php include('skipif.inc'); ?>
 --INI--
 session.use_cookies=0
+session.use_strict_mode=0
 session.cache_limiter=
 session.use_trans_sid=1
 url_rewriter.tags="a=href,area=href,frame=src,input=src,form=,fieldset="
diff -Nura php-5.1.4/ext/session/tests/bug38377.phpt hardening-patch-5.1.4-0.4.15/ext/session/tests/bug38377.phpt
--- php-5.1.4/ext/session/tests/bug38377.phpt	1970-01-01 01:00:00.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/session/tests/bug38377.phpt	2006-09-05 20:31:04.000000000 +0200
@@ -0,0 +1,13 @@
+--TEST--
+bug #38377 (session_destroy() gives warning after session_regenerate_id())
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--FILE--
+<?php
+session_start();
+session_regenerate_id();
+session_destroy();
+echo "Done\n";
+?>
+--EXPECT--
+Done
diff -Nura php-5.1.4/ext/sockets/sockets.c hardening-patch-5.1.4-0.4.15/ext/sockets/sockets.c
--- php-5.1.4/ext/sockets/sockets.c	2006-04-07 16:04:36.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/ext/sockets/sockets.c	2006-09-05 20:31:04.000000000 +0200
@@ -533,6 +533,7 @@
 {
 	zval		**element;
 	php_socket	*php_sock;
+	int			num = 0;
 	
 	if (Z_TYPE_P(sock_array) != IS_ARRAY) return 0;
 
@@ -547,9 +548,10 @@
 		if (php_sock->bsd_socket > *max_fd) {
 			*max_fd = php_sock->bsd_socket;
 		}
+		num++;
 	}
 
-	return 1;
+	return num ? 1 : 0;
 }
 
 static int php_sock_array_from_fd_set(zval *sock_array, fd_set *fds TSRMLS_DC)
@@ -558,6 +560,7 @@
 	zval		**dest_element;
 	php_socket	*php_sock;
 	HashTable	*new_hash;
+	int			num = 0;
 
 	if (Z_TYPE_P(sock_array) != IS_ARRAY) return 0;
 
@@ -575,6 +578,7 @@
 			zend_hash_next_index_insert(new_hash, (void *)element, sizeof(zval *), (void **)&dest_element);
 			if (dest_element) zval_add_ref(dest_element);
 		}
+		num++;
 	}
 
 	/* Destroy old array, add new one */
@@ -584,7 +588,7 @@
 	zend_hash_internal_pointer_reset(new_hash);
 	Z_ARRVAL_P(sock_array) = new_hash;
 
-	return 1;
+	return num ? 1 : 0;
 }
 
 /* {{{ proto int socket_select(array &read_fds, array &write_fds, &array except_fds, int tv_sec[, int tv_usec])
diff -Nura php-5.1.4/ext/sqlite/sess_sqlite.c hardening-patch-5.1.4-0.4.15/ext/sqlite/sess_sqlite.c
--- php-5.1.4/ext/sqlite/sess_sqlite.c	2006-01-01 13:50:14.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/sqlite/sess_sqlite.c	2006-09-05 20:31:04.000000000 +0200
@@ -185,6 +185,76 @@
 	return SQLITE_RETVAL(rv);
 }
 
+PS_VALIDATE_SID_FUNC(sqlite)
+{
+	PS_SQLITE_DATA;
+	char *query;
+	const char *tail;
+	sqlite_vm *vm;
+	int colcount, result;
+	const char **rowdata, **colnames;
+	char *error;
+	size_t len;
+	const char *p;
+	char c;
+	int ret = FAILURE;
+
+	for (p = key; (c = *p); p++) {
+		/* valid characters are a..z,A..Z,0..9 */
+		if (!((c >= 'a' && c <= 'z')
+				|| (c >= 'A' && c <= 'Z')
+				|| (c >= '0' && c <= '9')
+				|| c == ','
+				|| c == '-')) {
+			return FAILURE;
+			break;
+		}
+	}
+
+	len = p - key;
+	
+	if (len == 0)
+		return FAILURE;
+	
+        if (!PS(use_strict_mode)) {
+                return SUCCESS;
+        }
+	
+	query = sqlite_mprintf("SELECT value FROM session_data WHERE sess_id='%q' LIMIT 1", key);
+	if (query == NULL) {
+		/* no memory */
+		return FAILURE;
+	}
+
+	if (sqlite_compile(db, query, &tail, &vm, &error) != SQLITE_OK) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "SQLite: Could not compile session validate sid query: %s", error);
+		sqlite_freemem(error);
+		sqlite_freemem(query);
+		return FAILURE;
+	}
+
+	switch ((result = sqlite_step(vm, &colcount, &rowdata, &colnames))) {
+		case SQLITE_ROW:
+			if (rowdata[0] != NULL) {
+                                ret = SUCCESS;
+			}
+			break;
+		default:
+			sqlite_freemem(error);
+			error = NULL;
+	}
+	
+	if (SQLITE_OK != sqlite_finalize(vm, &error)) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "SQLite: session validate sid: error %s", error);
+		sqlite_freemem(error);
+		error = NULL;
+	}
+
+	sqlite_freemem(query);
+	
+	return ret;
+}
+
 #endif /* HAVE_PHP_SESSION && !defined(COMPILE_DL_SESSION) */
 
 /*
diff -Nura php-5.1.4/ext/sqlite/sqlite.c hardening-patch-5.1.4-0.4.15/ext/sqlite/sqlite.c
--- php-5.1.4/ext/sqlite/sqlite.c	2006-04-18 16:30:15.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/ext/sqlite/sqlite.c	2006-09-05 20:31:04.000000000 +0200
@@ -1530,6 +1530,19 @@
 	db->last_err_code = ret;
 
 	if (ret != SQLITE_OK) {
+#if HARDENING_PATCH
+		char *query_copy;
+		int i;
+
+		query_copy = estrdup(sql);
+		for (i=0; query_copy[i]; i++) if (query_copy[i]<32) query_copy[i]='.';
+		php_security_log(S_SQL, "SQLite error: %s - query: %s", errtext, query_copy);
+		efree(query_copy);
+		if (HG(hphp_sql_bailout_on_error)) {
+			sqlite_freemem(errtext);
+			zend_bailout();
+		}
+#endif
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s", errtext);
 		if (errmsg) {
 			ZVAL_STRING(errmsg, errtext, 1);
diff -Nura php-5.1.4/ext/standard/array.c hardening-patch-5.1.4-0.4.15/ext/standard/array.c
--- php-5.1.4/ext/standard/array.c	2006-04-12 21:30:52.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/ext/standard/array.c	2006-09-05 20:31:04.000000000 +0200
@@ -92,6 +92,8 @@
 
 #define DOUBLE_DRIFT_FIX	0.000000000000001
 
+ZEND_DECLARE_MODULE_GLOBALS(array)
+
 /* {{{ php_array_init_globals
  */
 static void php_array_init_globals(zend_array_globals *array_globals)
@@ -1295,6 +1297,32 @@
 			}
 		}
 	}
+
+	if (var_name[0] == 'H') {
+		if ((strcmp(var_name, "HTTP_GET_VARS")==0)||
+		    (strcmp(var_name, "HTTP_POST_VARS")==0)||
+		    (strcmp(var_name, "HTTP_POST_FILES")==0)||
+		    (strcmp(var_name, "HTTP_ENV_VARS")==0)||
+		    (strcmp(var_name, "HTTP_SERVER_VARS")==0)||
+		    (strcmp(var_name, "HTTP_SESSION_VARS")==0)||
+		    (strcmp(var_name, "HTTP_COOKIE_VARS")==0)||
+		    (strcmp(var_name, "HTTP_RAW_POST_DATA")==0)) {
+		    return 0;
+		}
+	} else if (var_name[0] == '_') {
+		if ((strcmp(var_name, "_COOKIE")==0)||
+		    (strcmp(var_name, "_ENV")==0)||
+		    (strcmp(var_name, "_FILES")==0)||
+		    (strcmp(var_name, "_GET")==0)||
+		    (strcmp(var_name, "_POST")==0)||
+		    (strcmp(var_name, "_REQUEST")==0)||
+		    (strcmp(var_name, "_SESSION")==0)||
+		    (strcmp(var_name, "_SERVER")==0)) {
+		    return 0;
+		}
+	} else if (strcmp(var_name, "GLOBALS")==0) {
+		return 0;
+	}
 	
 	return 1;
 }
diff -Nura php-5.1.4/ext/standard/basic_functions.c hardening-patch-5.1.4-0.4.15/ext/standard/basic_functions.c
--- php-5.1.4/ext/standard/basic_functions.c	2006-04-03 15:46:11.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/ext/standard/basic_functions.c	2006-09-07 19:34:44.000000000 +0200
@@ -151,12 +151,14 @@
 typedef struct _php_shutdown_function_entry {
 	zval **arguments;
 	int arg_count;
+	zend_bool created_by_eval;
 } php_shutdown_function_entry;
 
 typedef struct _user_tick_function_entry {
 	zval **arguments;
 	int arg_count;
 	int calling;
+	zend_bool created_by_eval;
 } user_tick_function_entry;
 
 /* some prototypes for local functions */
@@ -188,6 +190,8 @@
 	PHP_FE(get_html_translation_table,										NULL)
 	PHP_FE(sha1,															NULL)
 	PHP_FE(sha1_file,														NULL)
+	PHP_FE(sha256,															NULL)
+	PHP_FE(sha256_file,														NULL)
 	PHP_NAMED_FE(md5,php_if_md5,											NULL)
 	PHP_NAMED_FE(md5_file,php_if_md5_file,									NULL)
 	PHP_NAMED_FE(crc32,php_if_crc32,										NULL)
@@ -632,7 +636,7 @@
 	PHP_FALIAS(socket_get_status, stream_get_meta_data,						NULL)
 
 #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS)
-	PHP_FE(realpath,														NULL)
+	PHP_STATIC_FE("realpath",		zif_real_path,							NULL)
 #endif
 
 #ifdef HAVE_FNMATCH
@@ -2034,7 +2038,7 @@
 			break;
 
 		case 3:		/*save to a file */
-			stream = php_stream_open_wrapper(opt, "a", IGNORE_URL | ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL);
+			stream = php_stream_open_wrapper(opt, "a", IGNORE_URL_WIN | ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL);
 			if (!stream)
 				return FAILURE;
 			php_stream_write(stream, message, strlen(message));
@@ -2279,6 +2283,13 @@
 {
 	zval retval;
 	char *function_name = NULL;
+#if HARDENING_PATCH	
+	zend_uint orig_code_type = EG(in_code_type);
+
+	if (shutdown_function_entry->created_by_eval) {
+		EG(in_code_type) = ZEND_EVAL_CODE;
+	}
+#endif
 
 	if (!zend_is_callable(shutdown_function_entry->arguments[0], 0, &function_name)) {
 		php_error(E_WARNING, "(Registered shutdown functions) Unable to call %s() - function does not exist", function_name);
@@ -2294,6 +2305,9 @@
 	if (function_name) {
 		efree(function_name);
 	}
+#if HARDENING_PATCH	
+	EG(in_code_type) = orig_code_type;
+#endif
 	return 0;
 }
 
@@ -2301,6 +2315,13 @@
 {
 	zval retval;
 	zval *function = tick_fe->arguments[0];
+#if HARDENING_PATCH	
+	zend_uint orig_code_type = EG(in_code_type);
+
+	if (tick_fe->created_by_eval) {
+		EG(in_code_type) = ZEND_EVAL_CODE;
+	}
+#endif
 	
 	/* Prevent reentrant calls to the same user ticks function */
 	if (! tick_fe->calling) {
@@ -2332,6 +2353,9 @@
 	
 		tick_fe->calling = 0;
 	}
+#if HARDENING_PATCH	
+	EG(in_code_type) = orig_code_type;
+#endif
 }
 
 static void run_user_tick_functions(int tick_count)
@@ -2395,6 +2419,13 @@
 	}
 
 	shutdown_function_entry.arguments = (zval **) safe_emalloc(sizeof(zval *), shutdown_function_entry.arg_count, 0);
+#if HARDENING_PATCH
+	if (EG(in_code_type)==ZEND_EVAL_CODE) {
+		shutdown_function_entry.created_by_eval = 1;
+	} else {
+		shutdown_function_entry.created_by_eval = 0;
+	}
+#endif	
 
 	if (zend_get_parameters_array(ht, shutdown_function_entry.arg_count, shutdown_function_entry.arguments) == FAILURE) {
 		efree(shutdown_function_entry.arguments);
@@ -2722,6 +2753,15 @@
 
 	convert_to_string_ex(varname);
 
+	/* checks that ensure the user does not overwrite certain ini settings when safe_mode is enabled */
+	if (PG(safe_mode)) {
+		if (!strncmp("max_execution_time", Z_STRVAL_PP(varname), sizeof("max_execution_time")) ||
+			!strncmp("memory_limit", Z_STRVAL_PP(varname), sizeof("memory_limit")) ||
+			!strncmp("child_terminate", Z_STRVAL_PP(varname), sizeof("child_terminate"))) {
+			RETURN_FALSE;
+		}	
+	}	
+
 	zend_restore_ini_entry(Z_STRVAL_PP(varname), Z_STRLEN_PP(varname)+1, PHP_INI_STAGE_RUNTIME);
 }
 /* }}} */
@@ -2979,6 +3019,13 @@
 	}
 
 	tick_fe.arguments = (zval **) safe_emalloc(sizeof(zval *), tick_fe.arg_count, 0);
+#if HARDENING_PATCH
+	if (EG(in_code_type)==ZEND_EVAL_CODE) {
+		tick_fe.created_by_eval = 1;
+	} else {
+		tick_fe.created_by_eval = 0;
+	}
+#endif	
 
 	if (zend_get_parameters_array(ht, tick_fe.arg_count, tick_fe.arguments) == FAILURE) {
 		efree(tick_fe.arguments);
@@ -3282,6 +3329,35 @@
 		new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h);
 	}
 
+	if (new_key[0] == 'H') {
+		if ((strcmp(new_key, "HTTP_GET_VARS")==0)||
+		    (strcmp(new_key, "HTTP_POST_VARS")==0)||
+		    (strcmp(new_key, "HTTP_POST_FILES")==0)||
+		    (strcmp(new_key, "HTTP_ENV_VARS")==0)||
+		    (strcmp(new_key, "HTTP_SERVER_VARS")==0)||
+		    (strcmp(new_key, "HTTP_SESSION_VARS")==0)||
+		    (strcmp(new_key, "HTTP_COOKIE_VARS")==0)||
+		    (strcmp(new_key, "HTTP_RAW_POST_DATA")==0)) {
+		    efree(new_key);
+		    return 0;
+		}
+	} else if (new_key[0] == '_') {
+		if ((strcmp(new_key, "_COOKIE")==0)||
+		    (strcmp(new_key, "_ENV")==0)||
+		    (strcmp(new_key, "_FILES")==0)||
+		    (strcmp(new_key, "_GET")==0)||
+		    (strcmp(new_key, "_POST")==0)||
+		    (strcmp(new_key, "_REQUEST")==0)||
+		    (strcmp(new_key, "_SESSION")==0)||
+		    (strcmp(new_key, "_SERVER")==0)) {
+		    efree(new_key);
+		    return 0;
+		}
+	} else if (strcmp(new_key, "GLOBALS")==0) {
+		efree(new_key);
+		return 0;
+	}
+
 	zend_delete_global_variable(new_key, new_key_len-1 TSRMLS_CC);
 	ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0);
 
diff -Nura php-5.1.4/ext/standard/config.m4 hardening-patch-5.1.4-0.4.15/ext/standard/config.m4
--- php-5.1.4/ext/standard/config.m4	2006-01-04 22:31:29.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/standard/config.m4	2006-09-05 20:31:04.000000000 +0200
@@ -203,7 +203,7 @@
   if test "$ac_cv_crypt_blowfish" = "yes"; then
     ac_result=1
   else
-    ac_result=0
+    ac_result=1
   fi
   AC_DEFINE_UNQUOTED(PHP_BLOWFISH_CRYPT, $ac_result, [Whether the system supports BlowFish salt])
 ])
@@ -489,7 +489,7 @@
                             incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
                             http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
                             var_unserializer.c ftok.c sha1.c user_filters.c uuencode.c \
-                            filters.c proc_open.c streamsfuncs.c http.c)
+                            filters.c proc_open.c streamsfuncs.c http.c sha256.c crypt_blowfish.c )
 
 PHP_ADD_MAKEFILE_FRAGMENT
 
diff -Nura php-5.1.4/ext/standard/config.w32 hardening-patch-5.1.4-0.4.15/ext/standard/config.w32
--- php-5.1.4/ext/standard/config.w32	2006-01-04 22:31:29.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/standard/config.w32	2006-09-05 20:31:04.000000000 +0200
@@ -16,5 +16,5 @@
 	url_scanner_ex.c ftp_fopen_wrapper.c http_fopen_wrapper.c \
 	php_fopen_wrapper.c credits.c css.c var_unserializer.c ftok.c sha1.c \
 	user_filters.c uuencode.c filters.c proc_open.c \
-	streamsfuncs.c http.c", false /* never shared */);
+	streamsfuncs.c http.c sha256.c crypt_blowfish.c", false /* never shared */);
 
diff -Nura php-5.1.4/ext/standard/crypt_blowfish.c hardening-patch-5.1.4-0.4.15/ext/standard/crypt_blowfish.c
--- php-5.1.4/ext/standard/crypt_blowfish.c	1970-01-01 01:00:00.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/standard/crypt_blowfish.c	2006-09-05 20:31:04.000000000 +0200
@@ -0,0 +1,748 @@
+/*
+ * This code comes from John the Ripper password cracker, with reentrant
+ * and crypt(3) interfaces added, but optimizations specific to password
+ * cracking removed.
+ *
+ * Written by Solar Designer <solar at openwall.com> in 1998-2002 and
+ * placed in the public domain.
+ *
+ * There's absolutely no warranty.
+ *
+ * It is my intent that you should be able to use this on your system,
+ * as a part of a software package, or anywhere else to improve security,
+ * ensure compatibility, or for any other purpose. I would appreciate
+ * it if you give credit where it is due and keep your modifications in
+ * the public domain as well, but I don't require that in order to let
+ * you place this code and any modifications you make under a license
+ * of your choice.
+ *
+ * This implementation is compatible with OpenBSD bcrypt.c (version 2a)
+ * by Niels Provos <provos at citi.umich.edu>, and uses some of his
+ * ideas. The password hashing algorithm was designed by David Mazieres
+ * <dm at lcs.mit.edu>.
+ *
+ * There's a paper on the algorithm that explains its design decisions:
+ *
+ *	http://www.usenix.org/events/usenix99/provos.html
+ *
+ * Some of the tricks in BF_ROUND might be inspired by Eric Young's
+ * Blowfish library (I can't be sure if I would think of something if I
+ * hadn't seen his code).
+ */
+
+#include <string.h>
+
+#include <errno.h>
+#ifndef __set_errno
+#define __set_errno(val) errno = (val)
+#endif
+
+#undef __CONST
+#ifdef __GNUC__
+#define __CONST __const
+#else
+#define __CONST
+#endif
+
+#ifdef __i386__
+#define BF_ASM				0
+#define BF_SCALE			1
+#elif defined(__alpha__) || defined(__hppa__)
+#define BF_ASM				0
+#define BF_SCALE			1
+#else
+#define BF_ASM				0
+#define BF_SCALE			0
+#endif
+
+typedef unsigned int BF_word;
+
+/* Number of Blowfish rounds, this is also hardcoded into a few places */
+#define BF_N				16
+
+typedef BF_word BF_key[BF_N + 2];
+
+typedef struct {
+	BF_word S[4][0x100];
+	BF_key P;
+} BF_ctx;
+
+/*
+ * Magic IV for 64 Blowfish encryptions that we do at the end.
+ * The string is "OrpheanBeholderScryDoubt" on big-endian.
+ */
+static BF_word BF_magic_w[6] = {
+	0x4F727068, 0x65616E42, 0x65686F6C,
+	0x64657253, 0x63727944, 0x6F756274
+};
+
+/*
+ * P-box and S-box tables initialized with digits of Pi.
+ */
+static BF_ctx BF_init_state = {
+	{
+		{
+			0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7,
+			0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99,
+			0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16,
+			0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e,
+			0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee,
+			0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013,
+			0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef,
+			0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e,
+			0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60,
+			0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440,
+			0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce,
+			0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a,
+			0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e,
+			0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677,
+			0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193,
+			0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032,
+			0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88,
+			0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239,
+			0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e,
+			0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0,
+			0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3,
+			0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98,
+			0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88,
+			0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe,
+			0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6,
+			0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d,
+			0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b,
+			0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7,
+			0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba,
+			0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463,
+			0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f,
+			0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09,
+			0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3,
+			0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb,
+			0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279,
+			0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8,
+			0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab,
+			0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82,
+			0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db,
+			0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573,
+			0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0,
+			0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b,
+			0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790,
+			0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8,
+			0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4,
+			0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0,
+			0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7,
+			0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c,
+			0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad,
+			0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1,
+			0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299,
+			0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9,
+			0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477,
+			0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf,
+			0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49,
+			0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af,
+			0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa,
+			0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5,
+			0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41,
+			0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915,
+			0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400,
+			0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915,
+			0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664,
+			0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a
+		}, {
+			0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623,
+			0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266,
+			0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1,
+			0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e,
+			0x3f54989a, 0x5b429d65, 0x6b8fe4d6, 0x99f73fd6,
+			0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1,
+			0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e,
+			0x09686b3f, 0x3ebaefc9, 0x3c971814, 0x6b6a70a1,
+			0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737,
+			0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8,
+			0xb03ada37, 0xf0500c0d, 0xf01c1f04, 0x0200b3ff,
+			0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd,
+			0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701,
+			0x3ae5e581, 0x37c2dadc, 0xc8b57634, 0x9af3dda7,
+			0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41,
+			0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331,
+			0x4e548b38, 0x4f6db908, 0x6f420d03, 0xf60a04bf,
+			0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af,
+			0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e,
+			0x5512721f, 0x2e6b7124, 0x501adde6, 0x9f84cd87,
+			0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c,
+			0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2,
+			0xef1c1847, 0x3215d908, 0xdd433b37, 0x24c2ba16,
+			0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd,
+			0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b,
+			0x043556f1, 0xd7a3c76b, 0x3c11183b, 0x5924a509,
+			0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e,
+			0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3,
+			0x771fe71c, 0x4e3d06fa, 0x2965dcb9, 0x99e71d0f,
+			0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a,
+			0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4,
+			0xf2f74ea7, 0x361d2b3d, 0x1939260f, 0x19c27960,
+			0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66,
+			0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28,
+			0xc332ddef, 0xbe6c5aa5, 0x65582185, 0x68ab9802,
+			0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84,
+			0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510,
+			0x13cca830, 0xeb61bd96, 0x0334fe1e, 0xaa0363cf,
+			0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14,
+			0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e,
+			0x648b1eaf, 0x19bdf0ca, 0xa02369b9, 0x655abb50,
+			0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7,
+			0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8,
+			0xf837889a, 0x97e32d77, 0x11ed935f, 0x16681281,
+			0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99,
+			0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696,
+			0xcdb30aeb, 0x532e3054, 0x8fd948e4, 0x6dbc3128,
+			0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73,
+			0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0,
+			0x45eee2b6, 0xa3aaabea, 0xdb6c4f15, 0xfacb4fd0,
+			0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105,
+			0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250,
+			0xcf62a1f2, 0x5b8d2646, 0xfc8883a0, 0xc1c7b6a3,
+			0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285,
+			0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00,
+			0x58428d2a, 0x0c55f5ea, 0x1dadf43e, 0x233f7061,
+			0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb,
+			0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e,
+			0xa6078084, 0x19f8509e, 0xe8efd855, 0x61d99735,
+			0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc,
+			0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9,
+			0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340,
+			0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20,
+			0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7
+		}, {
+			0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934,
+			0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068,
+			0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af,
+			0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840,
+			0x4d95fc1d, 0x96b591af, 0x70f4ddd3, 0x66a02f45,
+			0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504,
+			0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a,
+			0x28507825, 0x530429f4, 0x0a2c86da, 0xe9b66dfb,
+			0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee,
+			0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6,
+			0xaace1e7c, 0xd3375fec, 0xce78a399, 0x406b2a42,
+			0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b,
+			0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2,
+			0x3a6efa74, 0xdd5b4332, 0x6841e7f7, 0xca7820fb,
+			0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527,
+			0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b,
+			0x55a867bc, 0xa1159a58, 0xcca92963, 0x99e1db33,
+			0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c,
+			0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3,
+			0x95c11548, 0xe4c66d22, 0x48c1133f, 0xc70f86dc,
+			0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17,
+			0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564,
+			0x257b7834, 0x602a9c60, 0xdff8e8a3, 0x1f636c1b,
+			0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115,
+			0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922,
+			0x85b2a20e, 0xe6ba0d99, 0xde720c8c, 0x2da2f728,
+			0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0,
+			0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e,
+			0x0a476341, 0x992eff74, 0x3a6f6eab, 0xf4f8fd37,
+			0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d,
+			0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804,
+			0xf1290dc7, 0xcc00ffa3, 0xb5390f92, 0x690fed0b,
+			0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3,
+			0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb,
+			0x37392eb3, 0xcc115979, 0x8026e297, 0xf42e312d,
+			0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c,
+			0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350,
+			0x1a6b1018, 0x11caedfa, 0x3d25bdd8, 0xe2e1c3c9,
+			0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a,
+			0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe,
+			0x9dbc8057, 0xf0f7c086, 0x60787bf8, 0x6003604d,
+			0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc,
+			0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f,
+			0x77a057be, 0xbde8ae24, 0x55464299, 0xbf582e61,
+			0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2,
+			0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9,
+			0x7aeb2661, 0x8b1ddf84, 0x846a0e79, 0x915f95e2,
+			0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c,
+			0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e,
+			0xb77f19b6, 0xe0a9dc09, 0x662d09a1, 0xc4324633,
+			0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10,
+			0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169,
+			0xdcb7da83, 0x573906fe, 0xa1e2ce9b, 0x4fcd7f52,
+			0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027,
+			0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5,
+			0xf0177a28, 0xc0f586e0, 0x006058aa, 0x30dc7d62,
+			0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634,
+			0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76,
+			0x6f05e409, 0x4b7c0188, 0x39720a3d, 0x7c927c24,
+			0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc,
+			0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4,
+			0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c,
+			0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837,
+			0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0
+		}, {
+			0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b,
+			0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe,
+			0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b,
+			0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4,
+			0x5748ab2f, 0xbc946e79, 0xc6a376d2, 0x6549c2c8,
+			0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6,
+			0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304,
+			0xa1fad5f0, 0x6a2d519a, 0x63ef8ce2, 0x9a86ee22,
+			0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4,
+			0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6,
+			0x2826a2f9, 0xa73a3ae1, 0x4ba99586, 0xef5562e9,
+			0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59,
+			0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593,
+			0xe990fd5a, 0x9e34d797, 0x2cf0b7d9, 0x022b8b51,
+			0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28,
+			0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c,
+			0xe029ac71, 0xe019a5e6, 0x47b0acfd, 0xed93fa9b,
+			0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28,
+			0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c,
+			0x15056dd4, 0x88f46dba, 0x03a16125, 0x0564f0bd,
+			0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a,
+			0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319,
+			0x7533d928, 0xb155fdf5, 0x03563482, 0x8aba3cbb,
+			0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f,
+			0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991,
+			0xea7a90c2, 0xfb3e7bce, 0x5121ce64, 0x774fbe32,
+			0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680,
+			0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166,
+			0xb39a460a, 0x6445c0dd, 0x586cdecf, 0x1c20c8ae,
+			0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb,
+			0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5,
+			0x72eacea8, 0xfa6484bb, 0x8d6612ae, 0xbf3c6f47,
+			0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370,
+			0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d,
+			0x4040cb08, 0x4eb4e2cc, 0x34d2466a, 0x0115af84,
+			0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048,
+			0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8,
+			0x611560b1, 0xe7933fdc, 0xbb3a792b, 0x344525bd,
+			0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9,
+			0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7,
+			0x1a908749, 0xd44fbd9a, 0xd0dadecb, 0xd50ada38,
+			0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f,
+			0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c,
+			0xbf97222c, 0x15e6fc2a, 0x0f91fc71, 0x9b941525,
+			0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1,
+			0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442,
+			0xe0ec6e0e, 0x1698db3b, 0x4c98a0be, 0x3278e964,
+			0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e,
+			0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8,
+			0xdf359f8d, 0x9b992f2e, 0xe60b6f47, 0x0fe3f11d,
+			0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f,
+			0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299,
+			0xf523f357, 0xa6327623, 0x93a83531, 0x56cccd02,
+			0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc,
+			0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614,
+			0xe6c6c7bd, 0x327a140a, 0x45e1d006, 0xc3f27b9a,
+			0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6,
+			0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b,
+			0x53113ec0, 0x1640e3d3, 0x38abbd60, 0x2547adf0,
+			0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060,
+			0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e,
+			0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9,
+			0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f,
+			0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6
+		}
+	}, {
+		0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344,
+		0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89,
+		0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c,
+		0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917,
+		0x9216d5d9, 0x8979fb1b
+	}
+};
+
+static unsigned char BF_itoa64[64 + 1] =
+	"./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+
+static unsigned char BF_atoi64[0x60] = {
+	64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 0, 1,
+	54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 64, 64, 64, 64, 64,
+	64, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
+	17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 64, 64, 64, 64, 64,
+	64, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42,
+	43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 64, 64, 64, 64, 64
+};
+
+/*
+ * This may be optimized out if built with function inlining and no BF_ASM.
+ */
+static void clean(void *data, int size)
+{
+#if BF_ASM
+	extern void _BF_clean(void *data);
+#endif
+	memset(data, 0, size);
+#if BF_ASM
+	_BF_clean(data);
+#endif
+}
+
+#define BF_safe_atoi64(dst, src) \
+{ \
+	tmp = (unsigned char)(src); \
+	if (tmp == '$') break; \
+	if ((unsigned int)(tmp -= 0x20) >= 0x60) return -1; \
+	tmp = BF_atoi64[tmp]; \
+	if (tmp > 63) return -1; \
+	(dst) = tmp; \
+}
+
+static int BF_decode(BF_word *dst, __CONST char *src, int size)
+{
+	unsigned char *dptr = (unsigned char *)dst;
+	unsigned char *end = dptr + size;
+	unsigned char *sptr = (unsigned char *)src;
+	unsigned int tmp, c1, c2, c3, c4;
+
+	do {
+		BF_safe_atoi64(c1, *sptr++);
+		BF_safe_atoi64(c2, *sptr++);
+		*dptr++ = (c1 << 2) | ((c2 & 0x30) >> 4);
+		if (dptr >= end) break;
+
+		BF_safe_atoi64(c3, *sptr++);
+		*dptr++ = ((c2 & 0x0F) << 4) | ((c3 & 0x3C) >> 2);
+		if (dptr >= end) break;
+
+		BF_safe_atoi64(c4, *sptr++);
+		*dptr++ = ((c3 & 0x03) << 6) | c4;
+	} while (dptr < end);
+
+	while (dptr < end)
+		*dptr++ = 0;
+
+	return 0;
+}
+
+static void BF_encode(char *dst, __CONST BF_word *src, int size)
+{
+	unsigned char *sptr = (unsigned char *)src;
+	unsigned char *end = sptr + size;
+	unsigned char *dptr = (unsigned char *)dst;
+	unsigned int c1, c2;
+
+	do {
+		c1 = *sptr++;
+		*dptr++ = BF_itoa64[c1 >> 2];
+		c1 = (c1 & 0x03) << 4;
+		if (sptr >= end) {
+			*dptr++ = BF_itoa64[c1];
+			break;
+		}
+
+		c2 = *sptr++;
+		c1 |= c2 >> 4;
+		*dptr++ = BF_itoa64[c1];
+		c1 = (c2 & 0x0f) << 2;
+		if (sptr >= end) {
+			*dptr++ = BF_itoa64[c1];
+			break;
+		}
+
+		c2 = *sptr++;
+		c1 |= c2 >> 6;
+		*dptr++ = BF_itoa64[c1];
+		*dptr++ = BF_itoa64[c2 & 0x3f];
+	} while (sptr < end);
+}
+
+static void BF_swap(BF_word *x, int count)
+{
+	static int endianness_check = 1;
+	char *is_little_endian = (char *)&endianness_check;
+	BF_word tmp;
+
+	if (*is_little_endian)
+	do {
+		tmp = *x;
+		tmp = (tmp << 16) | (tmp >> 16);
+		*x++ = ((tmp & 0x00FF00FF) << 8) | ((tmp >> 8) & 0x00FF00FF);
+	} while (--count);
+}
+
+#if BF_SCALE
+/* Architectures which can shift addresses left by 2 bits with no extra cost */
+#define BF_ROUND(L, R, N) \
+	tmp1 = L & 0xFF; \
+	tmp2 = L >> 8; \
+	tmp2 &= 0xFF; \
+	tmp3 = L >> 16; \
+	tmp3 &= 0xFF; \
+	tmp4 = L >> 24; \
+	tmp1 = data.ctx.S[3][tmp1]; \
+	tmp2 = data.ctx.S[2][tmp2]; \
+	tmp3 = data.ctx.S[1][tmp3]; \
+	tmp3 += data.ctx.S[0][tmp4]; \
+	tmp3 ^= tmp2; \
+	R ^= data.ctx.P[N + 1]; \
+	tmp3 += tmp1; \
+	R ^= tmp3;
+#else
+/* Architectures with no complicated addressing modes supported */
+#define BF_INDEX(S, i) \
+	(*((BF_word *)(((unsigned char *)S) + (i))))
+#define BF_ROUND(L, R, N) \
+	tmp1 = L & 0xFF; \
+	tmp1 <<= 2; \
+	tmp2 = L >> 6; \
+	tmp2 &= 0x3FC; \
+	tmp3 = L >> 14; \
+	tmp3 &= 0x3FC; \
+	tmp4 = L >> 22; \
+	tmp4 &= 0x3FC; \
+	tmp1 = BF_INDEX(data.ctx.S[3], tmp1); \
+	tmp2 = BF_INDEX(data.ctx.S[2], tmp2); \
+	tmp3 = BF_INDEX(data.ctx.S[1], tmp3); \
+	tmp3 += BF_INDEX(data.ctx.S[0], tmp4); \
+	tmp3 ^= tmp2; \
+	R ^= data.ctx.P[N + 1]; \
+	tmp3 += tmp1; \
+	R ^= tmp3;
+#endif
+
+/*
+ * Encrypt one block, BF_N is hardcoded here.
+ */
+#define BF_ENCRYPT \
+	L ^= data.ctx.P[0]; \
+	BF_ROUND(L, R, 0); \
+	BF_ROUND(R, L, 1); \
+	BF_ROUND(L, R, 2); \
+	BF_ROUND(R, L, 3); \
+	BF_ROUND(L, R, 4); \
+	BF_ROUND(R, L, 5); \
+	BF_ROUND(L, R, 6); \
+	BF_ROUND(R, L, 7); \
+	BF_ROUND(L, R, 8); \
+	BF_ROUND(R, L, 9); \
+	BF_ROUND(L, R, 10); \
+	BF_ROUND(R, L, 11); \
+	BF_ROUND(L, R, 12); \
+	BF_ROUND(R, L, 13); \
+	BF_ROUND(L, R, 14); \
+	BF_ROUND(R, L, 15); \
+	tmp4 = R; \
+	R = L; \
+	L = tmp4 ^ data.ctx.P[BF_N + 1];
+
+#if BF_ASM
+#define BF_body() \
+	_BF_body_r(&data.ctx);
+#else
+#define BF_body() \
+	L = R = 0; \
+	ptr = data.ctx.P; \
+	do { \
+		ptr += 2; \
+		BF_ENCRYPT; \
+		*(ptr - 2) = L; \
+		*(ptr - 1) = R; \
+	} while (ptr < &data.ctx.P[BF_N + 2]); \
+\
+	ptr = data.ctx.S[0]; \
+	do { \
+		ptr += 2; \
+		BF_ENCRYPT; \
+		*(ptr - 2) = L; \
+		*(ptr - 1) = R; \
+	} while (ptr < &data.ctx.S[3][0xFF]);
+#endif
+
+static void BF_set_key(__CONST char *key, BF_key expanded, BF_key initial)
+{
+	__CONST char *ptr = key;
+	int i, j;
+	BF_word tmp;
+
+	for (i = 0; i < BF_N + 2; i++) {
+		tmp = 0;
+		for (j = 0; j < 4; j++) {
+			tmp <<= 8;
+			tmp |= *ptr;
+
+			if (!*ptr) ptr = key; else ptr++;
+		}
+
+		expanded[i] = tmp;
+		initial[i] = BF_init_state.P[i] ^ tmp;
+	}
+}
+
+char *_crypt_blowfish_rn(__CONST char *key, __CONST char *setting,
+	char *output, int size)
+{
+#if BF_ASM
+	extern void _BF_body_r(BF_ctx *ctx);
+#endif
+	struct {
+		BF_ctx ctx;
+		BF_key expanded_key;
+		union {
+			BF_word salt[4];
+			BF_word output[6];
+		} binary;
+	} data;
+	BF_word L, R;
+	BF_word tmp1, tmp2, tmp3, tmp4;
+	BF_word *ptr;
+	BF_word count;
+	int i;
+
+	if (size < 7 + 22 + 31 + 1) {
+		__set_errno(ERANGE);
+		return NULL;
+	}
+
+	if (setting[0] != '$' ||
+	    setting[1] != '2' ||
+	    setting[2] != 'a' ||
+	    setting[3] != '$' ||
+	    setting[4] < '0' || setting[4] > '3' ||
+	    setting[5] < '0' || setting[5] > '9' ||
+	    setting[6] != '$') {
+		__set_errno(EINVAL);
+		return NULL;
+	}
+
+	count = (BF_word)1 << ((setting[4] - '0') * 10 + (setting[5] - '0'));
+	if (count < 16 || BF_decode(data.binary.salt, &setting[7], 16)) {
+		clean(data.binary.salt, sizeof(data.binary.salt));
+		__set_errno(EINVAL);
+		return NULL;
+	}
+
+	BF_swap(data.binary.salt, 4);
+
+	BF_set_key(key, data.expanded_key, data.ctx.P);
+
+	memcpy(data.ctx.S, BF_init_state.S, sizeof(data.ctx.S));
+
+	L = R = 0;
+	for (i = 0; i < BF_N + 2; i += 2) {
+		L ^= data.binary.salt[i & 2];
+		R ^= data.binary.salt[(i & 2) + 1];
+		BF_ENCRYPT;
+		data.ctx.P[i] = L;
+		data.ctx.P[i + 1] = R;
+	}
+
+	ptr = data.ctx.S[0];
+	do {
+		ptr += 4;
+		L ^= data.binary.salt[(BF_N + 2) & 3];
+		R ^= data.binary.salt[(BF_N + 3) & 3];
+		BF_ENCRYPT;
+		*(ptr - 4) = L;
+		*(ptr - 3) = R;
+
+		L ^= data.binary.salt[(BF_N + 4) & 3];
+		R ^= data.binary.salt[(BF_N + 5) & 3];
+		BF_ENCRYPT;
+		*(ptr - 2) = L;
+		*(ptr - 1) = R;
+	} while (ptr < &data.ctx.S[3][0xFF]);
+
+	do {
+		data.ctx.P[0] ^= data.expanded_key[0];
+		data.ctx.P[1] ^= data.expanded_key[1];
+		data.ctx.P[2] ^= data.expanded_key[2];
+		data.ctx.P[3] ^= data.expanded_key[3];
+		data.ctx.P[4] ^= data.expanded_key[4];
+		data.ctx.P[5] ^= data.expanded_key[5];
+		data.ctx.P[6] ^= data.expanded_key[6];
+		data.ctx.P[7] ^= data.expanded_key[7];
+		data.ctx.P[8] ^= data.expanded_key[8];
+		data.ctx.P[9] ^= data.expanded_key[9];
+		data.ctx.P[10] ^= data.expanded_key[10];
+		data.ctx.P[11] ^= data.expanded_key[11];
+		data.ctx.P[12] ^= data.expanded_key[12];
+		data.ctx.P[13] ^= data.expanded_key[13];
+		data.ctx.P[14] ^= data.expanded_key[14];
+		data.ctx.P[15] ^= data.expanded_key[15];
+		data.ctx.P[16] ^= data.expanded_key[16];
+		data.ctx.P[17] ^= data.expanded_key[17];
+
+		BF_body();
+
+		tmp1 = data.binary.salt[0];
+		tmp2 = data.binary.salt[1];
+		tmp3 = data.binary.salt[2];
+		tmp4 = data.binary.salt[3];
+		data.ctx.P[0] ^= tmp1;
+		data.ctx.P[1] ^= tmp2;
+		data.ctx.P[2] ^= tmp3;
+		data.ctx.P[3] ^= tmp4;
+		data.ctx.P[4] ^= tmp1;
+		data.ctx.P[5] ^= tmp2;
+		data.ctx.P[6] ^= tmp3;
+		data.ctx.P[7] ^= tmp4;
+		data.ctx.P[8] ^= tmp1;
+		data.ctx.P[9] ^= tmp2;
+		data.ctx.P[10] ^= tmp3;
+		data.ctx.P[11] ^= tmp4;
+		data.ctx.P[12] ^= tmp1;
+		data.ctx.P[13] ^= tmp2;
+		data.ctx.P[14] ^= tmp3;
+		data.ctx.P[15] ^= tmp4;
+		data.ctx.P[16] ^= tmp1;
+		data.ctx.P[17] ^= tmp2;
+
+		BF_body();
+	} while (--count);
+
+	for (i = 0; i < 6; i += 2) {
+		L = BF_magic_w[i];
+		R = BF_magic_w[i + 1];
+
+		count = 64;
+		do {
+			BF_ENCRYPT;
+		} while (--count);
+
+		data.binary.output[i] = L;
+		data.binary.output[i + 1] = R;
+	}
+
+	memcpy(output, setting, 7 + 22 - 1);
+	output[7 + 22 - 1] = BF_itoa64[(int)
+		BF_atoi64[(int)setting[7 + 22 - 1] - 0x20] & 0x30];
+
+/* This has to be bug-compatible with the original implementation, so
+ * only encode 23 of the 24 bytes. :-) */
+	BF_swap(data.binary.output, 6);
+	BF_encode(&output[7 + 22], data.binary.output, 23);
+	output[7 + 22 + 31] = '\0';
+
+/* Overwrite the most obvious sensitive data we have on the stack. Note
+ * that this does not guarantee there's no sensitive data left on the
+ * stack and/or in registers; I'm not aware of portable code that does. */
+	clean(&data, sizeof(data));
+
+	return output;
+}
+
+char *_crypt_gensalt_blowfish_rn(unsigned long count,
+	__CONST char *input, int size, char *output, int output_size)
+{
+	if (size < 16 || output_size < 7 + 22 + 1 ||
+	    (count && (count < 4 || count > 31))) {
+		if (output_size > 0) output[0] = '\0';
+		__set_errno((output_size < 7 + 22 + 1) ? ERANGE : EINVAL);
+		return NULL;
+	}
+
+	if (!count) count = 5;
+
+	output[0] = '$';
+	output[1] = '2';
+	output[2] = 'a';
+	output[3] = '$';
+	output[4] = '0' + count / 10;
+	output[5] = '0' + count % 10;
+	output[6] = '$';
+
+	BF_encode(&output[7], (BF_word *)input, 16);
+	output[7 + 22] = '\0';
+
+	return output;
+}
diff -Nura php-5.1.4/ext/standard/crypt.c hardening-patch-5.1.4-0.4.15/ext/standard/crypt.c
--- php-5.1.4/ext/standard/crypt.c	2006-01-01 13:50:14.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/standard/crypt.c	2006-09-05 20:31:04.000000000 +0200
@@ -100,6 +100,8 @@
 	return SUCCESS;
 }
 
+char *_crypt_blowfish_rn(char *key, char *setting, char *output, int size);
+char *_crypt_gensalt_blowfish_rn(unsigned long count, char *input, int size, char *output, int output_size);
 
 static unsigned char itoa64[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
 
@@ -135,7 +137,14 @@
 
 	/* The automatic salt generation only covers standard DES and md5-crypt */
 	if(!*salt) {
-#if PHP_MD5_CRYPT
+#if PHP_BLOWFISH_CRYPT
+		char randat[16];
+		int i;
+		
+		for (i=0; i<16; i++) randat[i] = PHP_CRYPT_RAND;
+		
+		_crypt_gensalt_blowfish_rn(5, randat, sizeof(randat), salt, sizeof(salt));
+#elif PHP_MD5_CRYPT
 		strcpy(salt, "$1$");
 		php_to64(&salt[3], PHP_CRYPT_RAND, 4);
 		php_to64(&salt[7], PHP_CRYPT_RAND, 4);
@@ -145,8 +154,24 @@
 		salt[2] = '\0';
 #endif
 	}
-
-	RETVAL_STRING(crypt(str, salt), 1);
+	
+	if (salt[0] == '$' &&
+	    salt[1] == '2' &&
+	    salt[2] == 'a' &&
+	    salt[3] == '$' &&
+	    salt[4] >= '0' && salt[4] <= '3' &&
+	    salt[5] >= '0' && salt[5] <= '9' &&
+	    salt[6] == '$') {
+	    
+		char output[PHP_MAX_SALT_LEN+1];
+		
+		output[0] = 0;
+		_crypt_blowfish_rn(str, salt, output, sizeof(output));
+		RETVAL_STRING(output, 1);
+	    
+	} else {
+		RETVAL_STRING(crypt(str, salt), 1);
+	}
 }
 /* }}} */
 #endif
diff -Nura php-5.1.4/ext/standard/dl.c hardening-patch-5.1.4-0.4.15/ext/standard/dl.c
--- php-5.1.4/ext/standard/dl.c	2006-01-01 13:50:14.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/standard/dl.c	2006-09-05 20:31:04.000000000 +0200
@@ -164,8 +164,35 @@
 		RETURN_FALSE;
 	}
 	module_entry = get_module();
+
+	/* check if Hardening-Patch is installed */
+	if (module_entry->zend_api < 1000000000) {
+		php_error_docref(NULL TSRMLS_CC, error_type,
+				  "%s: Unable to initialize module\n"
+				  "Module compiled without Hardening-Patch, module API=%d, debug=%d, thread-safety=%d\n"
+				  "PHP    compiled with Hardening-Patch=%d, module API=%d, debug=%d, thread-safety=%d\n"
+				  "These options need to match\n",
+				  module_entry->name, module_entry->zend_api, module_entry->zend_debug, module_entry->zts,
+				  HARDENING_PATCH_ZEND_MODULE_API_NO, ZEND_MODULE_API_NO, ZEND_DEBUG, USING_ZTS);
+		DL_UNLOAD(handle);
+		RETURN_FALSE;
+	}
+
+	/* check if correct Hardening-Patch is installed */
+	if (module_entry->zend_api != HARDENING_PATCH_ZEND_MODULE_API_NO) {
+		php_error_docref(NULL TSRMLS_CC, error_type,
+				  "%s: Unable to initialize module\n"
+				  "Module compiled with Hardening-Patch=%d, module API=%d, debug=%d, thread-safety=%d\n"
+				  "PHP    compiled with Hardening-Patch=%d, module API=%d, debug=%d, thread-safety=%d\n"
+				  "These options need to match\n",
+				  module_entry->name, module_entry->zend_api, module_entry->real_zend_api, module_entry->zend_debug, module_entry->zts,
+				  HARDENING_PATCH_ZEND_MODULE_API_NO, ZEND_MODULE_API_NO, ZEND_DEBUG, USING_ZTS);
+		DL_UNLOAD(handle);
+		RETURN_FALSE;
+	}
+
 	if ((module_entry->zend_debug != ZEND_DEBUG) || (module_entry->zts != USING_ZTS)
-		|| (module_entry->zend_api != ZEND_MODULE_API_NO)) {
+		|| (module_entry->real_zend_api != ZEND_MODULE_API_NO)) {
 		/* Check for pre-4.1.0 module which has a slightly different module_entry structure :( */
 			struct pre_4_1_0_module_entry {
 				  char *name;
@@ -199,7 +226,7 @@
 				zts        = ((struct pre_4_1_0_module_entry *)module_entry)->zts; 
 			} else {			
 				name       = module_entry->name;
-				zend_api   = module_entry->zend_api;
+				zend_api   = module_entry->real_zend_api;
 				zend_debug = module_entry->zend_debug;
 				zts        = module_entry->zts; 
 			}
diff -Nura php-5.1.4/ext/standard/file.c hardening-patch-5.1.4-0.4.15/ext/standard/file.c
--- php-5.1.4/ext/standard/file.c	2006-04-06 04:39:55.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/ext/standard/file.c	2006-09-05 20:31:04.000000000 +0200
@@ -2302,7 +2302,7 @@
 #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS)
 /* {{{ proto string realpath(string path)
    Return the resolved path */
-PHP_FUNCTION(realpath)
+PHP_FUNCTION(real_path)
 {
 	zval **path;
 	char resolved_path_buff[MAXPATHLEN];
diff -Nura php-5.1.4/ext/standard/file.h hardening-patch-5.1.4-0.4.15/ext/standard/file.h
--- php-5.1.4/ext/standard/file.h	2006-01-13 05:05:59.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/standard/file.h	2006-09-05 20:31:04.000000000 +0200
@@ -61,7 +61,7 @@
 PHP_FUNCTION(fd_set);
 PHP_FUNCTION(fd_isset);
 #if (!defined(__BEOS__) && HAVE_REALPATH) || defined(ZTS)
-PHP_FUNCTION(realpath);
+PHP_FUNCTION(real_path);
 PHP_FUNCTION(fnmatch);
 #endif
 PHP_NAMED_FUNCTION(php_if_ftruncate);
diff -Nura php-5.1.4/ext/standard/filestat.c hardening-patch-5.1.4-0.4.15/ext/standard/filestat.c
--- php-5.1.4/ext/standard/filestat.c	2006-04-25 10:41:02.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/ext/standard/filestat.c	2006-09-05 20:31:04.000000000 +0200
@@ -16,7 +16,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: filestat.c,v 1.136.2.8 2006/04/25 08:41:02 tony2001 Exp $ */
+/* $Id: filestat.c,v 1.136.2.9 2006/08/10 21:30:23 iliaa Exp $ */
 
 #include "php.h"
 #include "safe_mode.h"
@@ -634,7 +634,7 @@
 	}
 
 	if ((wrapper = php_stream_locate_url_wrapper(filename, &local, 0 TSRMLS_CC)) == &php_plain_files_wrapper) {
-		if (php_check_open_basedir(local TSRMLS_CC)) {
+		if (php_check_open_basedir(local TSRMLS_CC) || (PG(safe_mode) && !php_checkuid_ex(filename, NULL, CHECKUID_ALLOW_FILE_NOT_EXISTS, CHECKUID_NO_ERRORS))) {
 			RETURN_FALSE;
 		}
 	}
diff -Nura php-5.1.4/ext/standard/head.c hardening-patch-5.1.4-0.4.15/ext/standard/head.c
--- php-5.1.4/ext/standard/head.c	2006-01-01 13:50:14.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/standard/head.c	2006-09-05 20:31:04.000000000 +0200
@@ -45,7 +45,7 @@
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|bl", &ctr.line,
 				&ctr.line_len, &rep, &ctr.response_code) == FAILURE)
 		return;
-	
+
 	sapi_header_op(rep ? SAPI_HEADER_REPLACE:SAPI_HEADER_ADD, &ctr TSRMLS_CC);
 }
 /* }}} */
diff -Nura php-5.1.4/ext/standard/info.c hardening-patch-5.1.4-0.4.15/ext/standard/info.c
--- php-5.1.4/ext/standard/info.c	2006-03-31 13:11:12.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/ext/standard/info.c	2006-09-05 20:31:04.000000000 +0200
@@ -154,7 +154,7 @@
 			if (Z_TYPE_PP(tmp) == IS_ARRAY) {
 				if (!sapi_module.phpinfo_as_text) {
 					PUTS("<pre>");
-					zend_print_zval_ex((zend_write_func_t) php_info_write_wrapper, *tmp, 0);
+					zend_print_zval_r_ex((zend_write_func_t) php_info_write_wrapper, *tmp, 0 TSRMLS_CC);
 					PUTS("</pre>");
 				} else {
 					zend_print_zval_r(*tmp, 0 TSRMLS_CC);
@@ -411,7 +411,7 @@
 
 	if (flag & PHP_INFO_GENERAL) {
 		char *zend_version = get_zend_version();
-		char temp_api[10];
+		char temp_api[11];
 		char *logo_guid;
 
 		php_uname = php_get_uname('a');
@@ -434,11 +434,22 @@
 			PUTS("\" alt=\"PHP Logo\" /></a>");
 		}
 
+#if HARDENING_PATCH
+		if (!sapi_module.phpinfo_as_text) {
+			php_printf("<h1 class=\"p\">PHP Version %s with <a href=\"http://www.hardened-php.net\">Hardening-Patch</a> %s</h1>\n", PHP_VERSION, HARDENING_PATCH_VERSION);
+		} else {
+			char temp_ver[40];	
+		
+			snprintf(temp_ver, sizeof(temp_ver), "%s/%s", PHP_VERSION, HARDENING_PATCH_VERSION);
+			php_info_print_table_row(2, "PHP/Hardening-Patch Version", temp_ver);
+		}
+#else
 		if (!sapi_module.phpinfo_as_text) {
 			php_printf("<h1 class=\"p\">PHP Version %s</h1>\n", PHP_VERSION);
 		} else {
 			php_info_print_table_row(2, "PHP Version", PHP_VERSION);
-		}	
+		}
+#endif
 		php_info_print_box_end();
 		php_info_print_table_start();
 		php_info_print_table_row(2, "System", php_uname );
diff -Nura php-5.1.4/ext/standard/mail.c hardening-patch-5.1.4-0.4.15/ext/standard/mail.c
--- php-5.1.4/ext/standard/mail.c	2006-01-01 13:50:15.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/standard/mail.c	2006-09-05 20:31:04.000000000 +0200
@@ -78,6 +78,25 @@
 }
 /* }}} */
 
+/* {{{ hphp_strcasestr */
+char *hphp_strcasestr(char *haystack, char *needle)
+{
+	unsigned char *t, *h, *n;
+
+	h = (unsigned char *) haystack;
+conts:
+	while (*h) {
+		n = (unsigned char *) needle;
+		for (t=h++; *n && *h; t++, n++) {
+			if (toupper(*t) != toupper(*n)) goto conts;
+		}
+    		return ((char*)h-1);
+	}
+
+	return (NULL);
+}
+/* }}} */
+
 /* {{{ proto int mail(string to, string subject, string message [, string additional_headers [, string additional_parameters]])
    Send an email message */
 PHP_FUNCTION(mail)
@@ -104,6 +123,44 @@
 		return;
 	}
 
+	if (HG(hphp_mailprotect) > 0) {
+		if (headers_len > 0 && headers && (strstr(headers,"\n\n") || strstr(headers,"\r\n\r\n")) ) {
+			php_security_log(S_MAIL, "mail() - double newline in headers, possible injection, mail dropped");
+			RETURN_FALSE;
+		}
+
+		/* check for spam attempts with buggy webforms */
+		if (to_len > 0 && to && (strchr(to, '\n') != NULL || strchr(to, '\r') != NULL)) {
+			php_security_log(S_MAIL, "mail() - newline in to header, possible injection, mail dropped");
+			RETURN_FALSE;
+		}
+
+		if (subject_len > 0 && subject && (strchr(subject, '\n') != NULL || strchr(subject, '\r') != NULL)) {
+			php_security_log(S_MAIL, "mail() - newline subject header, possible injection, mail dropped");
+			RETURN_FALSE;
+		}
+		
+		if (HG(hphp_mailprotect) > 1) {
+			/* search for to, cc or bcc headers */
+			if (headers_len > 0 && headers != NULL) {
+				if (strncasecmp(headers, "to:", sizeof("to:") - 1) == 0 || hphp_strcasestr(headers, "\nto:")) {
+					php_security_log(S_MAIL, "mail() - To: headers aren't allowed in the headers parameter.");
+					RETURN_FALSE;
+				}
+
+				if (strncasecmp(headers, "cc:", sizeof("cc:") - 1) == 0 || hphp_strcasestr(headers, "\ncc:")) {
+					php_security_log(S_MAIL, "mail() - CC: headers aren't allowed in the headers parameter.");
+					RETURN_FALSE;
+				}
+
+				if (strncasecmp(headers, "bcc:", sizeof("bcc:") - 1) == 0 || hphp_strcasestr(headers, "\nbcc:")) {
+					php_security_log(S_MAIL, "mail() - BCC: headers aren't allowed in the headers parameter.");
+					RETURN_FALSE;
+				}
+			}
+		}
+	}
+
 	if (to_len > 0) {
 		to_r = estrndup(to, to_len);
 		for (; to_len; to_len--) {
diff -Nura php-5.1.4/ext/standard/php_array.h hardening-patch-5.1.4-0.4.15/ext/standard/php_array.h
--- php-5.1.4/ext/standard/php_array.h	2006-02-07 18:54:24.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/standard/php_array.h	2006-09-05 20:31:04.000000000 +0200
@@ -19,7 +19,7 @@
    +----------------------------------------------------------------------+
 */
 
-/* $Id: php_array.h,v 1.50.2.2 2006/02/07 17:54:24 andrei Exp $ */
+/* $Id: php_array.h,v 1.50.2.3 2006/06/03 18:59:55 andrei Exp $ */
 
 #ifndef PHP_ARRAY_H
 #define PHP_ARRAY_H
@@ -108,8 +108,6 @@
 	int (*compare_func)(zval *result, zval *op1, zval *op2 TSRMLS_DC);
 ZEND_END_MODULE_GLOBALS(array) 
 
-ZEND_DECLARE_MODULE_GLOBALS(array)
-
 #ifdef ZTS
 #define ARRAYG(v) TSRMG(array_globals_id, zend_array_globals *, v)
 #else
diff -Nura php-5.1.4/ext/standard/php_standard.h hardening-patch-5.1.4-0.4.15/ext/standard/php_standard.h
--- php-5.1.4/ext/standard/php_standard.h	2006-01-04 22:31:29.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/standard/php_standard.h	2006-09-05 20:31:04.000000000 +0200
@@ -28,6 +28,7 @@
 #include "php_mail.h"
 #include "md5.h"
 #include "sha1.h"
+#include "sha256.h"
 #include "html.h"
 #include "exec.h"
 #include "file.h"
diff -Nura php-5.1.4/ext/standard/scanf.c hardening-patch-5.1.4-0.4.15/ext/standard/scanf.c
--- php-5.1.4/ext/standard/scanf.c	2006-01-01 13:50:15.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/standard/scanf.c	2006-09-05 20:31:04.000000000 +0200
@@ -16,7 +16,7 @@
    +----------------------------------------------------------------------+
 */
 
-/* $Id: scanf.c,v 1.31.2.2 2006/01/01 12:50:15 sniper Exp $ */
+/* $Id: scanf.c,v 1.31.2.3 2006/08/04 20:34:31 tony2001 Exp $ */
 
 /*
    scanf.c --
@@ -732,7 +732,7 @@
 			if (*end == '$') {
 				format = end+1;
 				ch = format++;
-				objIndex = varStart + value;
+				objIndex = varStart + value - 1;
 			}
 		}
 
@@ -762,7 +762,9 @@
 		switch (*ch) {
 			case 'n':
 				if (!(flags & SCAN_SUPPRESS)) {
-					if (numVars) {
+					if (numVars && objIndex >= argCount) {
+						break;
+					} else if (numVars) {
 						zend_uint refcount;
 
 						current = args[objIndex++];
@@ -888,7 +890,9 @@
 					}
 				}
 				if (!(flags & SCAN_SUPPRESS)) {
-					if (numVars) {
+					if (numVars && objIndex >= argCount) {
+						break;
+					} else if (numVars) {
 						zend_uint refcount;
 
 						current = args[objIndex++];
@@ -932,7 +936,9 @@
 					goto done;
 				}
 				if (!(flags & SCAN_SUPPRESS)) {
-					if (numVars) {
+					if (numVars && objIndex >= argCount) {
+						break;
+					} else if (numVars) {
 						current = args[objIndex++];
 						zval_dtor( *current );
 						ZVAL_STRINGL( *current, string, end-string, 1);
@@ -1089,7 +1095,9 @@
 					value = (int) (*fn)(buf, NULL, base);
 					if ((flags & SCAN_UNSIGNED) && (value < 0)) {
 						sprintf(buf, "%u", value); /* INTL: ISO digit */
-						if (numVars) {
+						if (numVars && objIndex >= argCount) {
+							break;
+						} else if (numVars) {
 						  /* change passed value type to string */
 						   current = args[objIndex++];
 						   convert_to_string( *current );
@@ -1098,7 +1106,9 @@
 							add_index_string(*return_value, objIndex++, buf, 1);
 						}
 					} else {
-						if (numVars) {
+						if (numVars && objIndex >= argCount) {
+							break;
+						} else if (numVars) {
 							current = args[objIndex++];
 							convert_to_long( *current );
 							Z_LVAL(**current) = value;
@@ -1206,7 +1216,9 @@
 					double dvalue;
 					*end = '\0';
 					dvalue = zend_strtod(buf, NULL);
-					if (numVars) {
+					if (numVars && objIndex >= argCount) {
+						break;
+					} else if (numVars) {
 						current = args[objIndex++];
 						convert_to_double( *current );
 						Z_DVAL_PP( current ) = dvalue;
diff -Nura php-5.1.4/ext/standard/sha256.c hardening-patch-5.1.4-0.4.15/ext/standard/sha256.c
--- php-5.1.4/ext/standard/sha256.c	1970-01-01 01:00:00.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/standard/sha256.c	2006-09-05 20:31:04.000000000 +0200
@@ -0,0 +1,388 @@
+/*
+   +----------------------------------------------------------------------+
+   | PHP Version 5                                                        |
+   +----------------------------------------------------------------------+
+   | Copyright (c) 1997-2004 The PHP Group                                |
+   +----------------------------------------------------------------------+
+   | This source file is subject to version 3.0 of the PHP license,       |
+   | that is bundled with this package in the file LICENSE, and is        |
+   | available through the world-wide-web at the following url:           |
+   | http://www.php.net/license/3_0.txt.                                  |
+   | If you did not receive a copy of the PHP license and are unable to   |
+   | obtain it through the world-wide-web, please send a note to          |
+   | license@php.net so we can mail you a copy immediately.               |
+   +----------------------------------------------------------------------+
+   | Author: Stefan Esser <sesser@php.net>                                |
+   +----------------------------------------------------------------------+
+*/
+
+/* $Id: sha256.c,v 1.9 2004/01/08 08:17:34 andi Exp $ */
+
+#include "php.h"
+
+/* This code is heavily based on the PHP md5/sha1 implementations */ 
+
+#include "sha256.h"
+
+PHPAPI void make_sha256_digest(char *sha256str, unsigned char *digest)
+{
+	int i;
+
+	for (i = 0; i < 32; i++) {
+		sprintf(sha256str, "%02x", digest[i]);
+		sha256str += 2;
+	}
+
+	*sha256str = '\0';
+}
+
+/* {{{ proto string sha256(string str [, bool raw_output])
+   Calculate the sha256 hash of a string */
+PHP_FUNCTION(sha256)
+{
+	char *arg;
+	int arg_len;
+	zend_bool raw_output = 0;
+	char sha256str[65];
+	PHP_SHA256_CTX context;
+	unsigned char digest[32];
+	
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &arg, &arg_len, &raw_output) == FAILURE) {
+		return;
+	}
+
+	sha256str[0] = '\0';
+	PHP_SHA256Init(&context);
+	PHP_SHA256Update(&context, arg, arg_len);
+	PHP_SHA256Final(digest, &context);
+	if (raw_output) {
+		RETURN_STRINGL(digest, 32, 1);
+	} else {
+		make_sha256_digest(sha256str, digest);
+		RETVAL_STRING(sha256str, 1);
+	}
+
+}
+
+/* }}} */
+
+/* {{{ proto string sha256_file(string filename [, bool raw_output])
+   Calculate the sha256 hash of given filename */
+PHP_FUNCTION(sha256_file)
+{
+	char          *arg;
+	int           arg_len;
+	zend_bool raw_output = 0;
+	char          sha256str[65];
+	unsigned char buf[1024];
+	unsigned char digest[32];
+	PHP_SHA256_CTX   context;
+	int           n;
+	php_stream    *stream;
+
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &arg, &arg_len, &raw_output) == FAILURE) {
+		return;
+	}
+	
+	stream = php_stream_open_wrapper(arg, "rb", REPORT_ERRORS | ENFORCE_SAFE_MODE, NULL);
+	if (!stream) {
+		RETURN_FALSE;
+	}
+
+	PHP_SHA256Init(&context);
+
+	while ((n = php_stream_read(stream, buf, sizeof(buf))) > 0) {
+		PHP_SHA256Update(&context, buf, n);
+	}
+
+	PHP_SHA256Final(digest, &context);
+
+	php_stream_close(stream);
+
+	if (n<0) {
+		RETURN_FALSE;
+	}
+
+	if (raw_output) {
+		RETURN_STRINGL(digest, 32, 1);
+	} else {
+		make_sha256_digest(sha256str, digest);
+		RETVAL_STRING(sha256str, 1);
+	}
+}
+/* }}} */
+
+
+static void SHA256Transform(php_uint32[8], const unsigned char[64]);
+static void SHA256Encode(unsigned char *, php_uint32 *, unsigned int);
+static void SHA256Decode(php_uint32 *, const unsigned char *, unsigned int);
+
+static unsigned char PADDING[64] =
+{
+	0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+/* F, G, H and I are basic SHA256 functions.
+ */
+#define F(x) (ROTATE_RIGHT(x,2) ^ ROTATE_RIGHT(x,13) ^ ROTATE_RIGHT(x,22))
+#define G(x, y, z) (((x) & (y)) | ((z) & ((y) | (x))))
+#define H(x) (ROTATE_RIGHT(x,6) ^ ROTATE_RIGHT(x,11) ^ ROTATE_RIGHT(x,25))
+#define I(x, y, z) (((x) & (y)) | ((~x) & z))
+
+/* ROTATE_RIGHT rotates x right n bits.
+ */
+#define ROTATE_RIGHT(x, n) (((x) >> (n)) | ((x) << (32-(n))))
+
+/* W[i]
+ */
+#define W(i) ( tmp1=ROTATE_RIGHT(x[(i-15)&15],7)^ROTATE_RIGHT(x[(i-15)&15],18)^(x[(i-15)&15] >> 3), \
+	tmp2=ROTATE_RIGHT(x[(i-2)&15],17)^ROTATE_RIGHT(x[(i-2)&15],19)^(x[(i-2)&15] >> 10), \
+	(x[i&15]=x[i&15] + tmp1 + x[(i-7)&15] + tmp2) ) 
+
+/* ROUND function of sha256
+ */
+
+#define ROUND(a,b,c,d,e,f,g,h,w,k) { \
+ t1 = (h) + H((e)) + I((e), (f), (g)) + (k) + (php_uint32)(w); \
+ (h) = F((a)) + G((a), (b), (c)) + t1; \
+ (d) += t1; \
+ } 
+			                    
+
+/* {{{ PHP_SHA256Init
+ * SHA256 initialization. Begins an SHA256 operation, writing a new context.
+ */
+static void PHP_SHA256Init(PHP_SHA256_CTX * context)
+{
+	context->count[0] = context->count[1] = 0;
+	/* Load magic initialization constants.
+	 */
+	context->state[0] = 0x6a09e667;
+	context->state[1] = 0xbb67ae85;
+	context->state[2] = 0x3c6ef372;
+	context->state[3] = 0xa54ff53a;
+	context->state[4] = 0x510e527f;
+	context->state[5] = 0x9b05688c;
+	context->state[6] = 0x1f83d9ab;
+	context->state[7] = 0x5be0cd19;	
+}
+/* }}} */
+
+/* {{{ PHP_SHA256Update
+   SHA256 block update operation. Continues an SHA256 message-digest
+   operation, processing another message block, and updating the
+   context.
+ */
+static void PHP_SHA256Update(PHP_SHA256_CTX * context, const unsigned char *input,
+			   unsigned int inputLen)
+{
+	unsigned int i, index, partLen;
+
+	/* Compute number of bytes mod 64 */
+	index = (unsigned int) ((context->count[0] >> 3) & 0x3F);
+
+	/* Update number of bits */
+	if ((context->count[0] += ((php_uint32) inputLen << 3))
+		< ((php_uint32) inputLen << 3))
+		context->count[1]++;
+	context->count[1] += ((php_uint32) inputLen >> 29);
+
+	partLen = 64 - index;
+
+	/* Transform as many times as possible.
+	 */
+	if (inputLen >= partLen) {
+		memcpy
+			((unsigned char*) & context->buffer[index], (unsigned char*) input, partLen);
+		SHA256Transform(context->state, context->buffer);
+
+		for (i = partLen; i + 63 < inputLen; i += 64)
+			SHA256Transform(context->state, &input[i]);
+
+		index = 0;
+	} else
+		i = 0;
+
+	/* Buffer remaining input */
+	memcpy
+		((unsigned char*) & context->buffer[index], (unsigned char*) & input[i],
+		 inputLen - i);
+}
+/* }}} */
+
+/* {{{ PHP_SHA256Final
+   SHA256 finalization. Ends an SHA256 message-digest operation, writing the
+   the message digest and zeroizing the context.
+ */
+static void PHP_SHA256Final(unsigned char digest[32], PHP_SHA256_CTX * context)
+{
+	unsigned char bits[8];
+	unsigned int index, padLen;
+
+	/* Save number of bits */
+	bits[7] = context->count[0] & 0xFF;
+	bits[6] = (context->count[0] >> 8) & 0xFF;
+	bits[5] = (context->count[0] >> 16) & 0xFF;
+	bits[4] = (context->count[0] >> 24) & 0xFF;
+	bits[3] = context->count[1] & 0xFF;
+	bits[2] = (context->count[1] >> 8) & 0xFF;
+	bits[1] = (context->count[1] >> 16) & 0xFF;
+	bits[0] = (context->count[1] >> 24) & 0xFF;
+	
+	/* Pad out to 56 mod 64.
+	 */
+	index = (unsigned int) ((context->count[0] >> 3) & 0x3f);
+	padLen = (index < 56) ? (56 - index) : (120 - index);
+	PHP_SHA256Update(context, PADDING, padLen);
+
+	/* Append length (before padding) */
+	PHP_SHA256Update(context, bits, 8);
+
+	/* Store state in digest */
+	SHA256Encode(digest, context->state, 32);
+
+	/* Zeroize sensitive information.
+	 */
+	memset((unsigned char*) context, 0, sizeof(*context));
+}
+/* }}} */
+
+/* {{{ SHA256Transform
+ * SHA256 basic transformation. Transforms state based on block.
+ */
+static void SHA256Transform(state, block)
+php_uint32 state[8];
+const unsigned char block[64];
+{
+	php_uint32 a = state[0], b = state[1], c = state[2];
+	php_uint32 d = state[3], e = state[4], f = state[5];
+	php_uint32 g = state[6], h = state[7], x[16], tmp1, tmp2, t1;
+
+	SHA256Decode(x, block, 64);
+
+	ROUND(a, b, c, d, e, f, g, h, x[0], 0x428a2f98)
+	ROUND(h, a, b, c, d, e, f, g, x[1], 0x71374491)
+	ROUND(g, h, a, b, c, d, e, f, x[2], 0xb5c0fbcf)
+	ROUND(f, g, h, a, b, c, d, e, x[3], 0xe9b5dba5)
+	ROUND(e, f, g, h, a, b, c, d, x[4], 0x3956c25b)
+	ROUND(d, e, f, g, h, a, b, c, x[5], 0x59f111f1)
+	ROUND(c, d, e, f, g, h, a, b, x[6], 0x923f82a4)
+	ROUND(b, c, d, e, f, g, h, a, x[7], 0xab1c5ed5)
+	ROUND(a, b, c, d, e, f, g, h, x[8], 0xd807aa98)
+	ROUND(h, a, b, c, d, e, f, g, x[9], 0x12835b01)
+	ROUND(g, h, a, b, c, d, e, f, x[10], 0x243185be)
+	ROUND(f, g, h, a, b, c, d, e, x[11], 0x550c7dc3)
+	ROUND(e, f, g, h, a, b, c, d, x[12], 0x72be5d74)
+	ROUND(d, e, f, g, h, a, b, c, x[13], 0x80deb1fe)
+	ROUND(c, d, e, f, g, h, a, b, x[14], 0x9bdc06a7)
+	ROUND(b, c, d, e, f, g, h, a, x[15], 0xc19bf174)
+	ROUND(a, b, c, d, e, f, g, h, W(16), 0xe49b69c1)
+	ROUND(h, a, b, c, d, e, f, g, W(17), 0xefbe4786)
+	ROUND(g, h, a, b, c, d, e, f, W(18), 0x0fc19dc6)
+	ROUND(f, g, h, a, b, c, d, e, W(19), 0x240ca1cc)
+	ROUND(e, f, g, h, a, b, c, d, W(20), 0x2de92c6f)
+	ROUND(d, e, f, g, h, a, b, c, W(21), 0x4a7484aa)
+	ROUND(c, d, e, f, g, h, a, b, W(22), 0x5cb0a9dc)
+	ROUND(b, c, d, e, f, g, h, a, W(23), 0x76f988da)
+	ROUND(a, b, c, d, e, f, g, h, W(24), 0x983e5152)
+	ROUND(h, a, b, c, d, e, f, g, W(25), 0xa831c66d)
+	ROUND(g, h, a, b, c, d, e, f, W(26), 0xb00327c8)
+	ROUND(f, g, h, a, b, c, d, e, W(27), 0xbf597fc7)
+	ROUND(e, f, g, h, a, b, c, d, W(28), 0xc6e00bf3)
+	ROUND(d, e, f, g, h, a, b, c, W(29), 0xd5a79147)
+	ROUND(c, d, e, f, g, h, a, b, W(30), 0x06ca6351)
+	ROUND(b, c, d, e, f, g, h, a, W(31), 0x14292967)
+	ROUND(a, b, c, d, e, f, g, h, W(32), 0x27b70a85)
+	ROUND(h, a, b, c, d, e, f, g, W(33), 0x2e1b2138)
+	ROUND(g, h, a, b, c, d, e, f, W(34), 0x4d2c6dfc)
+	ROUND(f, g, h, a, b, c, d, e, W(35), 0x53380d13)
+	ROUND(e, f, g, h, a, b, c, d, W(36), 0x650a7354)
+	ROUND(d, e, f, g, h, a, b, c, W(37), 0x766a0abb)
+	ROUND(c, d, e, f, g, h, a, b, W(38), 0x81c2c92e)
+	ROUND(b, c, d, e, f, g, h, a, W(39), 0x92722c85)
+	ROUND(a, b, c, d, e, f, g, h, W(40), 0xa2bfe8a1)
+	ROUND(h, a, b, c, d, e, f, g, W(41), 0xa81a664b)
+	ROUND(g, h, a, b, c, d, e, f, W(42), 0xc24b8b70)
+	ROUND(f, g, h, a, b, c, d, e, W(43), 0xc76c51a3)
+	ROUND(e, f, g, h, a, b, c, d, W(44), 0xd192e819)
+	ROUND(d, e, f, g, h, a, b, c, W(45), 0xd6990624)
+	ROUND(c, d, e, f, g, h, a, b, W(46), 0xf40e3585)
+	ROUND(b, c, d, e, f, g, h, a, W(47), 0x106aa070)
+	ROUND(a, b, c, d, e, f, g, h, W(48), 0x19a4c116)
+	ROUND(h, a, b, c, d, e, f, g, W(49), 0x1e376c08)
+	ROUND(g, h, a, b, c, d, e, f, W(50), 0x2748774c)
+	ROUND(f, g, h, a, b, c, d, e, W(51), 0x34b0bcb5)
+	ROUND(e, f, g, h, a, b, c, d, W(52), 0x391c0cb3)
+	ROUND(d, e, f, g, h, a, b, c, W(53), 0x4ed8aa4a)
+	ROUND(c, d, e, f, g, h, a, b, W(54), 0x5b9cca4f)
+	ROUND(b, c, d, e, f, g, h, a, W(55), 0x682e6ff3)
+	ROUND(a, b, c, d, e, f, g, h, W(56), 0x748f82ee)
+	ROUND(h, a, b, c, d, e, f, g, W(57), 0x78a5636f)
+	ROUND(g, h, a, b, c, d, e, f, W(58), 0x84c87814)
+	ROUND(f, g, h, a, b, c, d, e, W(59), 0x8cc70208)
+	ROUND(e, f, g, h, a, b, c, d, W(60), 0x90befffa)
+	ROUND(d, e, f, g, h, a, b, c, W(61), 0xa4506ceb)
+	ROUND(c, d, e, f, g, h, a, b, W(62), 0xbef9a3f7)
+	ROUND(b, c, d, e, f, g, h, a, W(63), 0xc67178f2)
+
+	state[0] += a;
+	state[1] += b;
+	state[2] += c;
+	state[3] += d;
+	state[4] += e;
+	state[5] += f;
+	state[6] += g;
+	state[7] += h;
+
+	/* Zeroize sensitive information. */
+	memset((unsigned char*) x, 0, sizeof(x));
+}
+/* }}} */
+
+/* {{{ SHA256Encode
+   Encodes input (php_uint32) into output (unsigned char). Assumes len is
+   a multiple of 4.
+ */
+static void SHA256Encode(output, input, len)
+unsigned char *output;
+php_uint32 *input;
+unsigned int len;
+{
+	unsigned int i, j;
+
+	for (i = 0, j = 0; j < len; i++, j += 4) {
+		output[j] = (unsigned char) ((input[i] >> 24) & 0xff);
+		output[j + 1] = (unsigned char) ((input[i] >> 16) & 0xff);
+		output[j + 2] = (unsigned char) ((input[i] >> 8) & 0xff);
+		output[j + 3] = (unsigned char) (input[i] & 0xff);
+	}
+}
+/* }}} */
+
+/* {{{ SHA256Decode
+   Decodes input (unsigned char) into output (php_uint32). Assumes len is
+   a multiple of 4.
+ */
+static void SHA256Decode(output, input, len)
+php_uint32 *output;
+const unsigned char *input;
+unsigned int len;
+{
+	unsigned int i, j;
+
+	for (i = 0, j = 0; j < len; i++, j += 4)
+		output[i] = ((php_uint32) input[j + 3]) | (((php_uint32) input[j + 2]) << 8) |
+			(((php_uint32) input[j + 1]) << 16) | (((php_uint32) input[j]) << 24);
+}
+/* }}} */
+
+/*
+ * Local variables:
+ * tab-width: 4
+ * c-basic-offset: 4
+ * End:
+ * vim600: sw=4 ts=4 fdm=marker
+ * vim<600: sw=4 ts=4
+ */
diff -Nura php-5.1.4/ext/standard/sha256.h hardening-patch-5.1.4-0.4.15/ext/standard/sha256.h
--- php-5.1.4/ext/standard/sha256.h	1970-01-01 01:00:00.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/standard/sha256.h	2006-09-05 20:31:04.000000000 +0200
@@ -0,0 +1,40 @@
+/*
+   +----------------------------------------------------------------------+
+   | PHP Version 5                                                        |
+   +----------------------------------------------------------------------+
+   | Copyright (c) 1997-2004 The PHP Group                                |
+   +----------------------------------------------------------------------+
+   | This source file is subject to version 3.0 of the PHP license,       |
+   | that is bundled with this package in the file LICENSE, and is        |
+   | available through the world-wide-web at the following url:           |
+   | http://www.php.net/license/3_0.txt.                                  |
+   | If you did not receive a copy of the PHP license and are unable to   |
+   | obtain it through the world-wide-web, please send a note to          |
+   | license@php.net so we can mail you a copy immediately.               |
+   +----------------------------------------------------------------------+
+   | Author: Stefan Esser <sesser@php.net>                                |
+   +----------------------------------------------------------------------+
+*/
+
+/* $Id: sha256.h,v 1.4 2004/01/08 17:32:52 sniper Exp $ */
+
+#ifndef SHA256_H
+#define SHA256_H
+
+#include "ext/standard/basic_functions.h"
+
+/* SHA1 context. */
+typedef struct {
+	php_uint32 state[8];		/* state (ABCD) */
+	php_uint32 count[2];		/* number of bits, modulo 2^64 (lsb first) */
+	unsigned char buffer[64];	/* input buffer */
+} PHP_SHA256_CTX;
+
+static void PHP_SHA256Init(PHP_SHA256_CTX *);
+static void PHP_SHA256Update(PHP_SHA256_CTX *, const unsigned char *, unsigned int);
+static void PHP_SHA256Final(unsigned char[32], PHP_SHA256_CTX *);
+
+PHP_FUNCTION(sha256);
+PHP_FUNCTION(sha256_file);
+
+#endif
diff -Nura php-5.1.4/ext/standard/string.c hardening-patch-5.1.4-0.4.15/ext/standard/string.c
--- php-5.1.4/ext/standard/string.c	2006-04-25 14:48:41.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/ext/standard/string.c	2006-09-05 20:31:04.000000000 +0200
@@ -18,7 +18,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: string.c,v 1.445.2.14 2006/04/25 12:48:41 tony2001 Exp $ */
+/* $Id: string.c,v 1.445.2.16 2006/08/10 17:46:43 iliaa Exp $ */
 
 /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
 
@@ -632,7 +632,8 @@
 {
 	const char *text, *breakchar = "\n";
 	char *newtext;
-	int textlen, breakcharlen = 1, newtextlen, alloced, chk;
+	int textlen, breakcharlen = 1, newtextlen, chk;
+	size_t alloced;
 	long current = 0, laststart = 0, lastspace = 0;
 	long linelength = 75;
 	zend_bool docut = 0;
@@ -1612,10 +1613,18 @@
 		RETURN_FALSE;
 	}
 
+	if (haystack_len == 0) { 
+		RETURN_FALSE; 
+	}
+
 	haystack_dup = estrndup(haystack, haystack_len);
 	php_strtolower(haystack_dup, haystack_len);
 
 	if (Z_TYPE_P(needle) == IS_STRING) {
+		if (Z_STRLEN_P(needle) == 0 || Z_STRLEN_P(needle) > haystack_len) {
+			efree(haystack_dup); 
+			RETURN_FALSE; 
+		} 
 		needle_dup = estrndup(Z_STRVAL_P(needle), Z_STRLEN_P(needle));
 		php_strtolower(needle_dup, Z_STRLEN_P(needle));
 		found = php_memnstr(haystack_dup + offset, needle_dup, Z_STRLEN_P(needle), haystack_dup + haystack_len);
@@ -4194,7 +4203,7 @@
 	zval		**input_str;		/* Input string */
 	zval		**mult;			/* Multiplier */
 	char		*result;		/* Resulting string */
-	int		result_len;		/* Length of the resulting string */
+	size_t		result_len;		/* Length of the resulting string */
 	
 	if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &input_str, &mult) == FAILURE) {
 		WRONG_PARAM_COUNT;
@@ -4219,11 +4228,7 @@
 	
 	/* Initialize the result string */	
 	result_len = Z_STRLEN_PP(input_str) * Z_LVAL_PP(mult);
-	if (result_len < 1 || result_len > 2147483647) {
-		php_error_docref(NULL TSRMLS_CC, E_WARNING, "You may not create strings longer than 2147483647 bytes");
-		RETURN_FALSE;
-	}
-	result = (char *)emalloc(result_len + 1);
+	result = (char *)safe_emalloc(Z_STRLEN_PP(input_str), Z_LVAL_PP(mult), 1);
 	
 	/* Heavy optimization for situations where input string is 1 byte long */
 	if (Z_STRLEN_PP(input_str) == 1) {
@@ -4894,7 +4899,7 @@
 		offset = (offset < 0) ? 0 : offset;
 	}
 
-	if ((offset + len) >= s1_len) {
+	if ((offset + len) > s1_len) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "The start position cannot exceed initial string length");
 		RETURN_FALSE;
 	}
diff -Nura php-5.1.4/ext/standard/syslog.c hardening-patch-5.1.4-0.4.15/ext/standard/syslog.c
--- php-5.1.4/ext/standard/syslog.c	2006-03-21 01:59:08.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/standard/syslog.c	2006-09-05 20:31:04.000000000 +0200
@@ -42,6 +42,7 @@
  */
 PHP_MINIT_FUNCTION(syslog)
 {
+#if !HARDENING_PATCH
 	/* error levels */
 	REGISTER_LONG_CONSTANT("LOG_EMERG", LOG_EMERG, CONST_CS | CONST_PERSISTENT); /* system unusable */
 	REGISTER_LONG_CONSTANT("LOG_ALERT", LOG_ALERT, CONST_CS | CONST_PERSISTENT); /* immediate action required */
@@ -97,6 +98,7 @@
 	/* AIX doesn't have LOG_PERROR */
 	REGISTER_LONG_CONSTANT("LOG_PERROR", LOG_PERROR, CONST_CS | CONST_PERSISTENT); /*log to stderr*/
 #endif
+#endif
 	BG(syslog_device)=NULL;
 
 	return SUCCESS;
diff -Nura php-5.1.4/ext/varfilter/config.m4 hardening-patch-5.1.4-0.4.15/ext/varfilter/config.m4
--- php-5.1.4/ext/varfilter/config.m4	1970-01-01 01:00:00.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/varfilter/config.m4	2006-09-05 20:31:04.000000000 +0200
@@ -0,0 +1,11 @@
+dnl
+dnl $Id: config.m4,v 1.1 2004/11/14 13:27:16 ionic Exp $
+dnl
+
+PHP_ARG_ENABLE(varfilter, whether to enable Hardening-Patch's variable filter,
+[  --disable-varfilter     Disable Hardening-Patch's variable filter], yes)
+
+if test "$PHP_VARFILTER" != "no"; then
+  AC_DEFINE(HAVE_VARFILTER, 1, [ ])
+  PHP_NEW_EXTENSION(varfilter, varfilter.c, $ext_shared)
+fi
diff -Nura php-5.1.4/ext/varfilter/CREDITS hardening-patch-5.1.4-0.4.15/ext/varfilter/CREDITS
--- php-5.1.4/ext/varfilter/CREDITS	1970-01-01 01:00:00.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/varfilter/CREDITS	2006-09-05 20:31:04.000000000 +0200
@@ -0,0 +1,2 @@
+varfilter
+Stefan Esser
\ Kein Zeilenumbruch am Dateiende.
diff -Nura php-5.1.4/ext/varfilter/php_varfilter.h hardening-patch-5.1.4-0.4.15/ext/varfilter/php_varfilter.h
--- php-5.1.4/ext/varfilter/php_varfilter.h	1970-01-01 01:00:00.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/varfilter/php_varfilter.h	2006-09-05 20:31:04.000000000 +0200
@@ -0,0 +1,144 @@
+/*
+  +----------------------------------------------------------------------+
+  | Hardened-PHP Project's varfilter extension                           |
+  +----------------------------------------------------------------------+
+  | Copyright (c) 2004-2005 Stefan Esser                                 |
+  +----------------------------------------------------------------------+
+  | This source file is subject to version 2.02 of the PHP license,      |
+  | that is bundled with this package in the file LICENSE, and is        |
+  | available at through the world-wide-web at                           |
+  | http://www.php.net/license/2_02.txt.                                 |
+  | If you did not receive a copy of the PHP license and are unable to   |
+  | obtain it through the world-wide-web, please send a note to          |
+  | license@php.net so we can mail you a copy immediately.               |
+  +----------------------------------------------------------------------+
+  | Author: Stefan Esser <sesser@hardened-php.net>                       |
+  +----------------------------------------------------------------------+
+
+  $Id: php_varfilter.h,v 1.1 2004/11/14 13:27:16 ionic Exp $ 
+*/
+
+#ifndef PHP_VARFILTER_H
+#define PHP_VARFILTER_H
+
+extern zend_module_entry varfilter_module_entry;
+#define phpext_varfilter_ptr &varfilter_module_entry
+
+#ifdef PHP_WIN32
+#define PHP_VARFILTER_API __declspec(dllexport)
+#else
+#define PHP_VARFILTER_API
+#endif
+
+#ifdef ZTS
+#include "TSRM.h"
+#endif
+
+#include "SAPI.h"
+
+#include "php_variables.h"
+
+#ifdef ZEND_ENGINE_2
+#define HASH_HTTP_GET_VARS      0x2095733f
+#define HASH_HTTP_POST_VARS     0xbfee1265
+#define HASH_HTTP_COOKIE_VARS   0xaaca9d99
+#define HASH_HTTP_ENV_VARS      0x1fe186a8
+#define HASH_HTTP_SERVER_VARS   0xc987afd6
+#define HASH_HTTP_SESSION_VARS  0x7aba0d43
+#define HASH_HTTP_POST_FILES    0x98eb1ddc
+#define HASH_HTTP_RAW_POST_DATA 0xdd633fec
+#else
+#define HASH_HTTP_GET_VARS      0x8d8645bd
+#define HASH_HTTP_POST_VARS     0x7c699bf3
+#define HASH_HTTP_COOKIE_VARS   0x93ad0d6f
+#define HASH_HTTP_ENV_VARS      0x84da3016
+#define HASH_HTTP_SERVER_VARS   0x6dbf964e
+#define HASH_HTTP_SESSION_VARS  0x322906f5
+#define HASH_HTTP_POST_FILES    0xe4e4ce70
+#define HASH_HTTP_RAW_POST_DATA 0xe6137a0e
+#endif
+
+PHP_MINIT_FUNCTION(varfilter);
+PHP_MSHUTDOWN_FUNCTION(varfilter);
+PHP_RINIT_FUNCTION(varfilter);
+PHP_RSHUTDOWN_FUNCTION(varfilter);
+PHP_MINFO_FUNCTION(varfilter);
+
+
+ZEND_BEGIN_MODULE_GLOBALS(varfilter)
+/*	request variables */
+	long  max_request_variables;
+	long  cur_request_variables;
+	long  max_varname_length;
+	long  max_totalname_length;
+	long  max_value_length;
+	long  max_array_depth;
+	long  max_array_index_length;
+	zend_bool  disallow_nul;
+/*	cookie variables */
+	long  max_cookie_vars;
+	long  cur_cookie_vars;
+	long  max_cookie_name_length;
+	long  max_cookie_totalname_length;
+	long  max_cookie_value_length;
+	long  max_cookie_array_depth;
+	long  max_cookie_array_index_length;
+	zend_bool  disallow_cookie_nul;
+/*	get variables */
+	long  max_get_vars;
+	long  cur_get_vars;
+	long  max_get_name_length;
+	long  max_get_totalname_length;
+	long  max_get_value_length;
+	long  max_get_array_depth;
+	long  max_get_array_index_length;
+	zend_bool  disallow_get_nul;
+/*	post variables */
+	long  max_post_vars;
+	long  cur_post_vars;
+	long  max_post_name_length;
+	long  max_post_totalname_length;
+	long  max_post_value_length;
+	long  max_post_array_depth;
+	long  max_post_array_index_length;
+	zend_bool  disallow_post_nul;
+/*	fileupload */
+	long  max_uploads;
+	long  cur_uploads;
+	zend_bool  disallow_elf_files;
+	char *verification_script;
+        
+        zend_bool  no_more_variables;
+        zend_bool  no_more_get_variables;
+        zend_bool  no_more_post_variables;
+        zend_bool  no_more_cookie_variables;
+        zend_bool  no_more_uploads;
+
+ZEND_END_MODULE_GLOBALS(varfilter)
+
+
+#ifdef ZTS
+#define VARFILTER_G(v) TSRMG(varfilter_globals_id, zend_varfilter_globals *, v)
+#else
+#define VARFILTER_G(v) (varfilter_globals.v)
+#endif
+
+SAPI_INPUT_FILTER_FUNC(varfilter_input_filter);
+SAPI_UPLOAD_VARNAME_FILTER_FUNC(varfilter_upload_varname_filter);
+SAPI_PRE_UPLOAD_FILTER_FUNC(varfilter_pre_upload_filter);
+SAPI_UPLOAD_CONTENT_FILTER_FUNC(varfilter_upload_content_filter);
+SAPI_POST_UPLOAD_FILTER_FUNC(varfilter_post_upload_filter);
+SAPI_TREAT_DATA_FUNC(varfilter_treat_data);
+
+
+
+#endif	/* PHP_VARFILTER_H */
+
+
+/*
+ * Local variables:
+ * tab-width: 4
+ * c-basic-offset: 4
+ * indent-tabs-mode: t
+ * End:
+ */
diff -Nura php-5.1.4/ext/varfilter/varfilter.c hardening-patch-5.1.4-0.4.15/ext/varfilter/varfilter.c
--- php-5.1.4/ext/varfilter/varfilter.c	1970-01-01 01:00:00.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/ext/varfilter/varfilter.c	2006-09-07 18:51:41.000000000 +0200
@@ -0,0 +1,915 @@
+/*
+  +----------------------------------------------------------------------+
+  | Hardened-PHP Project's varfilter extension                           |
+  +----------------------------------------------------------------------+
+  | Copyright (c) 2004-2005 Stefan Esser                                 |
+  +----------------------------------------------------------------------+
+  | This source file is subject to version 2.02 of the PHP license,      |
+  | that is bundled with this package in the file LICENSE, and is        |
+  | available at through the world-wide-web at                           |
+  | http://www.php.net/license/2_02.txt.                                 |
+  | If you did not receive a copy of the PHP license and are unable to   |
+  | obtain it through the world-wide-web, please send a note to          |
+  | license@php.net so we can mail you a copy immediately.               |
+  +----------------------------------------------------------------------+
+  | Author: Stefan Esser <sesser@hardened-php.net>                       |
+  +----------------------------------------------------------------------+
+
+  $Id: varfilter.c,v 1.1 2004/11/14 13:27:16 ionic Exp $ 
+*/
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "php.h"
+#include "php_ini.h"
+#include "ext/standard/info.h"
+#include "php_varfilter.h"
+#include "hardening_patch.h"
+
+ZEND_DECLARE_MODULE_GLOBALS(varfilter)
+
+/* True global resources - no need for thread safety here */
+static int le_varfilter;
+
+static void (*orig_register_server_variables)(zval *track_vars_array TSRMLS_DC) = NULL;
+static int (*orig_header_handler)(sapi_header_struct *sapi_header, sapi_headers_struct *sapi_headers TSRMLS_DC) = NULL;
+static zend_bool hooked = 0;
+
+/* {{{ varfilter_module_entry
+ */
+zend_module_entry varfilter_module_entry = {
+#if ZEND_MODULE_API_NO >= 20010901
+	STANDARD_MODULE_HEADER,
+#endif
+	"varfilter",
+	NULL,
+	PHP_MINIT(varfilter),
+	PHP_MSHUTDOWN(varfilter),
+	PHP_RINIT(varfilter),		/* Replace with NULL if there's nothing to do at request start */
+	PHP_RSHUTDOWN(varfilter),	/* Replace with NULL if there's nothing to do at request end */
+	PHP_MINFO(varfilter),
+#if ZEND_MODULE_API_NO >= 20010901
+	"0.4.15", /* Replace with version number for your extension */
+#endif
+	STANDARD_MODULE_PROPERTIES
+};
+/* }}} */
+
+#ifdef COMPILE_DL_VARFILTER
+ZEND_GET_MODULE(varfilter)
+#endif
+
+/* {{{ PHP_INI
+ */
+PHP_INI_BEGIN()
+    /* for backward compatibility */
+    STD_PHP_INI_ENTRY("varfilter.max_request_variables", "200", PHP_INI_PERDIR, OnUpdateLong, max_request_variables, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("varfilter.max_varname_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_varname_length, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("varfilter.max_value_length", "65000", PHP_INI_PERDIR, OnUpdateLong, max_value_length, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("varfilter.max_array_depth", "100", PHP_INI_PERDIR, OnUpdateLong, max_array_depth, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("varfilter.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_totalname_length, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("varfilter.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_array_index_length, zend_varfilter_globals, varfilter_globals)
+
+    STD_PHP_INI_ENTRY("hphp.request.max_vars", "200", PHP_INI_PERDIR, OnUpdateLong, max_request_variables, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("hphp.request.max_varname_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_varname_length, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("hphp.request.max_value_length", "65000", PHP_INI_PERDIR, OnUpdateLong, max_value_length, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("hphp.request.max_array_depth", "100", PHP_INI_PERDIR, OnUpdateLong, max_array_depth, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("hphp.request.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_totalname_length, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("hphp.request.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_array_index_length, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("hphp.request.disallow_nul", "1", PHP_INI_PERDIR, OnUpdateBool, disallow_nul, zend_varfilter_globals, varfilter_globals)
+
+    STD_PHP_INI_ENTRY("hphp.cookie.max_vars", "100", PHP_INI_PERDIR, OnUpdateLong, max_cookie_vars, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("hphp.cookie.max_name_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_cookie_name_length, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("hphp.cookie.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_cookie_totalname_length, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("hphp.cookie.max_value_length", "10000", PHP_INI_PERDIR, OnUpdateLong, max_cookie_value_length, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("hphp.cookie.max_array_depth", "100", PHP_INI_PERDIR, OnUpdateLong, max_cookie_array_depth, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("hphp.cookie.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_cookie_array_index_length, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("hphp.cookie.disallow_nul", "1", PHP_INI_PERDIR, OnUpdateBool, disallow_cookie_nul, zend_varfilter_globals, varfilter_globals)
+
+    STD_PHP_INI_ENTRY("hphp.get.max_vars", "100", PHP_INI_PERDIR, OnUpdateLong, max_get_vars, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("hphp.get.max_name_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_get_name_length, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("hphp.get.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_get_totalname_length, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("hphp.get.max_value_length", "512", PHP_INI_PERDIR, OnUpdateLong, max_get_value_length, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("hphp.get.max_array_depth", "50", PHP_INI_PERDIR, OnUpdateLong, max_get_array_depth, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("hphp.get.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_get_array_index_length, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("hphp.get.disallow_nul", "1", PHP_INI_PERDIR, OnUpdateBool, disallow_get_nul, zend_varfilter_globals, varfilter_globals)
+
+    STD_PHP_INI_ENTRY("hphp.post.max_vars", "200", PHP_INI_PERDIR, OnUpdateLong, max_post_vars, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("hphp.post.max_name_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_post_name_length, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("hphp.post.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_post_totalname_length, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("hphp.post.max_value_length", "65000", PHP_INI_PERDIR, OnUpdateLong, max_post_value_length, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("hphp.post.max_array_depth", "100", PHP_INI_PERDIR, OnUpdateLong, max_post_array_depth, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("hphp.post.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_post_array_index_length, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("hphp.post.disallow_nul", "1", PHP_INI_PERDIR, OnUpdateBool, disallow_post_nul, zend_varfilter_globals, varfilter_globals)
+
+    STD_PHP_INI_ENTRY("hphp.upload.max_uploads", "25", PHP_INI_PERDIR, OnUpdateLong, max_uploads, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("hphp.upload.disallow_elf_files", "1", PHP_INI_SYSTEM, OnUpdateBool, disallow_elf_files, zend_varfilter_globals, varfilter_globals)
+    STD_PHP_INI_ENTRY("hphp.upload.verification_script", NULL, PHP_INI_SYSTEM, OnUpdateString, verification_script, zend_varfilter_globals, varfilter_globals)
+
+
+PHP_INI_END()
+/* }}} */
+
+/* {{{ php_varfilter_init_globals
+ */
+static void php_varfilter_init_globals(zend_varfilter_globals *varfilter_globals)
+{
+	varfilter_globals->max_request_variables = 200;
+	varfilter_globals->max_varname_length = 64;
+	varfilter_globals->max_value_length = 10000;
+	varfilter_globals->max_array_depth = 100;
+	varfilter_globals->max_totalname_length = 256;
+	varfilter_globals->max_array_index_length = 64;
+	varfilter_globals->disallow_nul = 1;
+
+	varfilter_globals->max_cookie_vars = 100;
+	varfilter_globals->max_cookie_name_length = 64;
+	varfilter_globals->max_cookie_totalname_length = 256;
+	varfilter_globals->max_cookie_value_length = 10000;
+	varfilter_globals->max_cookie_array_depth = 100;
+	varfilter_globals->max_cookie_array_index_length = 64;
+	varfilter_globals->disallow_cookie_nul = 1;
+	
+	varfilter_globals->max_get_vars = 100;
+	varfilter_globals->max_get_name_length = 64;
+	varfilter_globals->max_get_totalname_length = 256;
+	varfilter_globals->max_get_value_length = 512;
+	varfilter_globals->max_get_array_depth = 50;
+	varfilter_globals->max_get_array_index_length = 64;
+	varfilter_globals->disallow_get_nul = 1;
+	
+	varfilter_globals->max_post_vars = 200;
+	varfilter_globals->max_post_name_length = 64;
+	varfilter_globals->max_post_totalname_length = 256;
+	varfilter_globals->max_post_value_length = 65000;
+	varfilter_globals->max_post_array_depth = 100;
+	varfilter_globals->max_post_array_index_length = 64;
+	varfilter_globals->disallow_post_nul = 1;
+
+	varfilter_globals->max_uploads = 25;
+	varfilter_globals->disallow_elf_files = 1;
+	varfilter_globals->verification_script = NULL;
+        
+        varfilter_globals->no_more_variables = 0;
+        varfilter_globals->no_more_get_variables = 0;
+        varfilter_globals->no_more_post_variables = 0;
+        varfilter_globals->no_more_cookie_variables = 0;
+        varfilter_globals->no_more_uploads = 0;
+
+	varfilter_globals->cur_request_variables = 0;
+	varfilter_globals->cur_get_vars = 0;
+	varfilter_globals->cur_post_vars = 0;
+	varfilter_globals->cur_cookie_vars = 0;
+	
+	varfilter_globals->cur_uploads = 0;
+        
+}
+/* }}} */
+
+
+void varfilter_register_server_variables(zval *track_vars_array TSRMLS_DC)
+{
+        HashTable *svars;
+        int retval, failure=0;
+        
+        orig_register_server_variables(track_vars_array TSRMLS_CC);
+
+        svars = Z_ARRVAL_P(track_vars_array);
+        
+        retval = zend_hash_del_key_or_index(svars, "HTTP_GET_VARS", sizeof("HTTP_GET_VARS"), HASH_HTTP_GET_VARS, HASH_DEL_INDEX);
+        if (retval == SUCCESS) failure = 1;
+        retval = zend_hash_del_key_or_index(svars, "HTTP_POST_VARS", sizeof("HTTP_POST_VARS"), HASH_HTTP_POST_VARS, HASH_DEL_INDEX);
+        if (retval == SUCCESS) failure = 1;
+        retval = zend_hash_del_key_or_index(svars, "HTTP_COOKIE_VARS", sizeof("HTTP_COOKIE_VARS"), HASH_HTTP_COOKIE_VARS, HASH_DEL_INDEX);
+        if (retval == SUCCESS) failure = 1;
+        retval = zend_hash_del_key_or_index(svars, "HTTP_ENV_VARS", sizeof("HTTP_ENV_VARS"), HASH_HTTP_ENV_VARS, HASH_DEL_INDEX);
+        if (retval == SUCCESS) failure = 1;
+        retval = zend_hash_del_key_or_index(svars, "HTTP_SERVER_VARS", sizeof("HTTP_SERVER_VARS"), HASH_HTTP_SERVER_VARS, HASH_DEL_INDEX);
+        if (retval == SUCCESS) failure = 1;
+        retval = zend_hash_del_key_or_index(svars, "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS"), HASH_HTTP_SESSION_VARS, HASH_DEL_INDEX);
+        if (retval == SUCCESS) failure = 1;
+        retval = zend_hash_del_key_or_index(svars, "HTTP_POST_FILES", sizeof("HTTP_POST_FILES"), HASH_HTTP_POST_FILES, HASH_DEL_INDEX);
+        if (retval == SUCCESS) failure = 1;
+        retval = zend_hash_del_key_or_index(svars, "HTTP_RAW_POST_DATA", sizeof("HTTP_RAW_POST_DATA"), HASH_HTTP_RAW_POST_DATA, HASH_DEL_INDEX);
+        if (retval == SUCCESS) failure = 1;
+        
+        if (failure) {
+                php_security_log(S_VARS, "Attacker tried to overwrite a superglobal through a HTTP header");
+        }
+}
+
+int varfilter_header_handler(sapi_header_struct *sapi_header, sapi_headers_struct *sapi_headers TSRMLS_DC)
+{
+        int retval = SAPI_HEADER_ADD, i;
+        char *tmp;
+        
+        if (!HG(hphp_multiheader) && sapi_header && sapi_header->header) {
+                
+                tmp = sapi_header->header;
+                for (i=0; i<sapi_header->header_len; i++, tmp++) {
+                        if (tmp[0] == 0) {
+                                char *fname = get_active_function_name(TSRMLS_C);
+                                
+                                if (!fname) {
+                                        fname = "unknown";
+                                }
+                                
+                                php_security_log(S_MISC, "%s() - wanted to send a HTTP header with an ASCII NUL in it", fname);
+                                sapi_header->header_len = i;
+                        } else if (tmp[0] == '\n' && (i == sapi_header->header_len-1 || (tmp[1] != ' ' && tmp[1] != '\t'))) {
+                                char *fname = get_active_function_name(TSRMLS_C);
+                                
+                                if (!fname) {
+                                        fname = "unknown";
+                                }
+                                
+                                php_security_log(S_MISC, "%s() - wanted to send multiple HTTP headers at once", fname);
+                                sapi_header->header_len = i;
+                                tmp[0] = 0;
+                        }
+                }
+        }
+
+        if (orig_header_handler) {
+                retval = orig_header_handler(sapi_header, sapi_headers TSRMLS_CC);
+        }
+        
+        return retval;
+}
+
+/* {{{ PHP_MINIT_FUNCTION
+ */
+PHP_MINIT_FUNCTION(varfilter)
+{
+	ZEND_INIT_MODULE_GLOBALS(varfilter, php_varfilter_init_globals, NULL);
+	REGISTER_INI_ENTRIES();
+
+        if (!hooked) {
+                void *temp;
+                hooked = 1;
+                
+                temp = (void *)sapi_module.register_server_variables;
+                if (temp != varfilter_register_server_variables) {
+                        orig_register_server_variables = temp;
+                }
+                temp = (void *)sapi_module.header_handler;
+                if (temp != varfilter_header_handler) {
+                        orig_header_handler = temp;
+                }
+        }
+        
+	sapi_register_input_filter(varfilter_input_filter);
+	sapi_register_upload_varname_filter(varfilter_upload_varname_filter);
+	sapi_register_pre_upload_filter(varfilter_pre_upload_filter);
+	sapi_register_upload_content_filter(varfilter_upload_content_filter);
+	sapi_register_post_upload_filter(varfilter_post_upload_filter);
+        
+        sapi_module.header_handler = varfilter_header_handler;
+        sapi_module.register_server_variables = varfilter_register_server_variables;
+
+        
+        return SUCCESS;
+}
+/* }}} */
+
+/* {{{ PHP_MSHUTDOWN_FUNCTION
+ */
+PHP_MSHUTDOWN_FUNCTION(varfilter)
+{
+	UNREGISTER_INI_ENTRIES();
+
+	return SUCCESS;
+}
+/* }}} */
+
+/* Remove if there's nothing to do at request start */
+/* {{{ PHP_RINIT_FUNCTION
+ */
+PHP_RINIT_FUNCTION(varfilter)
+{
+	VARFILTER_G(cur_request_variables) = 0;
+	VARFILTER_G(cur_get_vars) = 0;
+	VARFILTER_G(cur_post_vars) = 0;
+	VARFILTER_G(cur_cookie_vars) = 0;
+	
+	VARFILTER_G(cur_uploads) = 0;
+        
+        VARFILTER_G(no_more_variables) = 0;
+        VARFILTER_G(no_more_get_variables) = 0;
+        VARFILTER_G(no_more_post_variables) = 0;
+        VARFILTER_G(no_more_cookie_variables) = 0;
+        VARFILTER_G(no_more_uploads) = 0;
+	
+	return SUCCESS;
+}
+/* }}} */
+
+/* Remove if there's nothing to do at request end */
+/* {{{ PHP_RSHUTDOWN_FUNCTION
+ */
+PHP_RSHUTDOWN_FUNCTION(varfilter)
+{
+	return SUCCESS;
+}
+/* }}} */
+
+/* {{{ PHP_MINFO_FUNCTION
+ */
+PHP_MINFO_FUNCTION(varfilter)
+{
+	php_info_print_table_start();
+	php_info_print_table_header(2, "Hardening-Patch's variable filter support", "enabled");
+	php_info_print_table_end();
+
+	DISPLAY_INI_ENTRIES();
+}
+/* }}} */
+
+/* {{{ normalize_varname
+ */
+static void normalize_varname(char *varname)
+{
+	char *s=varname, *index=NULL, *indexend=NULL, *p;
+	
+	/* overjump leading space */
+	while (*s == ' ') {
+		s++;
+	}
+	
+	/* and remove it */
+	if (s != varname) {
+		memmove(varname, s, strlen(s)+1);
+	}
+
+	for (p=varname; *p && *p != '['; p++) {
+		switch(*p) {
+			case ' ':
+			case '.':
+				*p='_';
+				break;
+		}
+	}
+
+	/* find index */
+	index = strchr(varname, '[');
+	if (index) {
+		index++;
+		s=index;
+	} else {
+		return;
+	}
+
+	/* done? */
+	while (index) {
+
+		while (*index == ' ' || *index == '\r' || *index == '\n' || *index=='\t') {
+			index++;
+		}
+		indexend = strchr(index, ']');
+		indexend = indexend ? indexend + 1 : index + strlen(index);
+		
+		if (s != index) {
+			memmove(s, index, strlen(index)+1);
+			s += indexend-index;
+		} else {
+			s = indexend;
+		}
+
+		if (*s == '[') {
+			s++;
+			index = s;
+		} else {
+			index = NULL;
+		}	
+	}
+	*s++='\0';
+}
+/* }}} */
+
+/* {{{ SAPI_UPLOAD_VARNAME_FILTER_FUNC
+ */
+SAPI_UPLOAD_VARNAME_FILTER_FUNC(varfilter_upload_varname_filter)
+{
+	char *index, *prev_index = NULL, *var;
+	unsigned int var_len, total_len, depth = 0;
+
+	var = estrdup(varname);
+
+	/* Normalize the variable name */
+	normalize_varname(var);
+	
+	/* Find length of variable name */
+	index = strchr(var, '[');
+	total_len = strlen(var);
+	var_len = index ? index-var : total_len;
+	
+	/* Drop this variable if it exceeds the varname/total length limit */
+	if (VARFILTER_G(max_varname_length) && VARFILTER_G(max_varname_length) < var_len) {
+		php_security_log(S_FILES, "configured request variable name length limit exceeded - dropped %s", var);
+		goto return_failure;
+	}
+	if (VARFILTER_G(max_totalname_length) && VARFILTER_G(max_totalname_length) < total_len) {
+		php_security_log(S_FILES, "configured request variable total name length limit exceeded - dropped %s", var);
+		goto return_failure;
+	}
+	if (VARFILTER_G(max_post_name_length) && VARFILTER_G(max_post_name_length) < var_len) {
+		php_security_log(S_FILES, "configured POST variable name length limit exceeded - dropped %s", var);
+
+		goto return_failure;
+	}
+	if (VARFILTER_G(max_post_totalname_length) && VARFILTER_G(max_post_totalname_length) < var_len) {
+		php_security_log(S_FILES, "configured POST variable total name length limit exceeded - dropped %s", var);
+		goto return_failure;
+	}
+	
+	/* Find out array depth */
+	while (index) {
+		unsigned int index_length;
+		
+		depth++;
+		index = strchr(index+1, '[');
+		
+		if (prev_index) {
+			index_length = index ? index - 1 - prev_index - 1: strlen(prev_index);
+			
+			if (VARFILTER_G(max_array_index_length) && VARFILTER_G(max_array_index_length) < index_length) {
+				php_security_log(S_FILES, "configured request variable array index length limit exceeded - dropped %s", var);
+				goto return_failure;
+			} 
+			if (VARFILTER_G(max_post_array_index_length) && VARFILTER_G(max_post_array_index_length) < index_length) {
+				php_security_log(S_FILES, "configured POST variable array index length limit exceeded - dropped %s", var);
+				goto return_failure;
+			} 
+			prev_index = index;
+		}
+		
+	}
+	
+	/* Drop this variable if it exceeds the array depth limit */
+	if (VARFILTER_G(max_array_depth) && VARFILTER_G(max_array_depth) < depth) {
+		php_security_log(S_FILES, "configured request variable array depth limit exceeded - dropped %s", var);
+		goto return_failure;
+	}
+	if (VARFILTER_G(max_post_array_depth) && VARFILTER_G(max_post_array_depth) < depth) {
+		php_security_log(S_FILES, "configured POST variable array depth limit exceeded - dropped %s", var);
+		goto return_failure;
+	}
+	
+	
+	/* Drop this variable if it is one of GLOBALS, _GET, _POST, ... */
+	/* This is to protect several silly scripts that do globalizing themself */
+	
+	switch (var_len) {
+	    case 18:
+		if (memcmp(var, "HTTP_RAW_POST_DATA", 18)==0) goto protected_varname2;
+		break;
+	    case 17:
+		if (memcmp(var, "HTTP_SESSION_VARS", 17)==0) goto protected_varname2;
+		break;
+	    case 16:
+		if (memcmp(var, "HTTP_SERVER_VARS", 16)==0) goto protected_varname2;
+		if (memcmp(var, "HTTP_COOKIE_VARS", 16)==0) goto protected_varname2;
+		break;
+	    case 15:
+		if (memcmp(var, "HTTP_POST_FILES", 15)==0) goto protected_varname2;
+		break;
+	    case 14:
+		if (memcmp(var, "HTTP_POST_VARS", 14)==0) goto protected_varname2;
+		break;
+	    case 13:
+		if (memcmp(var, "HTTP_GET_VARS", 13)==0) goto protected_varname2;
+		if (memcmp(var, "HTTP_ENV_VARS", 13)==0) goto protected_varname2;
+		break;
+	    case 8:
+		if (memcmp(var, "_SESSION", 8)==0) goto protected_varname2;
+		if (memcmp(var, "_REQUEST", 8)==0) goto protected_varname2;
+		break;
+	    case 7:
+		if (memcmp(var, "GLOBALS", 7)==0) goto protected_varname2;
+		if (memcmp(var, "_COOKIE", 7)==0) goto protected_varname2;
+		if (memcmp(var, "_SERVER", 7)==0) goto protected_varname2;
+		break;
+	    case 6:
+		if (memcmp(var, "_FILES", 6)==0) goto protected_varname2;
+		break;
+	    case 5:
+		if (memcmp(var, "_POST", 5)==0) goto protected_varname2;
+		break;
+	    case 4:
+		if (memcmp(var, "_ENV", 4)==0) goto protected_varname2;
+		if (memcmp(var, "_GET", 4)==0) goto protected_varname2;
+		break;
+	}
+
+	efree(var);
+	return SUCCESS;
+protected_varname2:
+	php_security_log(S_FILES, "tried to register forbidden variable '%s' through FILE variables", var);
+return_failure:
+	efree(var);
+	return FAILURE;	
+}
+/* }}} */
+
+/* {{{ SAPI_PRE_UPLOAD_FILTER_FUNC
+ */
+SAPI_PRE_UPLOAD_FILTER_FUNC(varfilter_pre_upload_filter)
+{
+        /* Drop if no more variables flag is set */
+        if (VARFILTER_G(no_more_uploads)) {
+                return FAILURE;
+        }
+	/* Drop this fileupload if the limit is reached */
+	if (VARFILTER_G(max_uploads) && VARFILTER_G(max_uploads) <= VARFILTER_G(cur_uploads)) {
+		php_security_log(S_FILES, "configured fileupload limit exceeded - file dropped");
+                VARFILTER_G(no_more_uploads) = 1;
+		return FAILURE;
+	}
+	
+	return SUCCESS;
+}
+/* }}} */
+
+/* {{{ SAPI_UPLOAD_CONTENT_FILTER_FUNC
+ */
+SAPI_UPLOAD_CONTENT_FILTER_FUNC(varfilter_upload_content_filter)
+{
+
+	if (VARFILTER_G(disallow_elf_files)) {
+
+		if (offset == 0 && buffer_len > 10) {
+			
+			if (buffer[0] == 0x7F && buffer[1] == 'E' && buffer[2] == 'L' && buffer[3] == 'F') {
+				php_security_log(S_FILES, "uploaded file is an ELF executable - file dropped");
+				return FAILURE;
+			}
+		}
+	
+	}
+
+	return SUCCESS;
+}
+/* }}} */
+
+/* {{{ SAPI_POST_UPLOAD_FILTER_FUNC
+ */
+SAPI_POST_UPLOAD_FILTER_FUNC(varfilter_post_upload_filter)
+{
+	int retval = SUCCESS;
+
+	if (VARFILTER_G(verification_script)) {
+		char cmd[8192];
+		FILE *in;
+		int first=1;
+		
+		ap_php_snprintf(cmd, sizeof(cmd), "%s %s", VARFILTER_G(verification_script), tmpfilename);
+
+		if ((in=VCWD_POPEN(cmd, "r"))==NULL) {
+			php_security_log(S_FILES, "unable to execute fileupload verification script %s - file dropped", VARFILTER_G(verification_script));
+			return FAILURE;
+		}
+		
+		retval = FAILURE;
+		
+		/* read and forget the result */
+		while (1) {
+			int readbytes = fread(cmd, 1, sizeof(cmd), in);
+			if (readbytes<=0) {
+				break;
+			}
+			if (first) {
+				retval = atoi(cmd) == 1 ? SUCCESS : FAILURE;
+				first = 0;
+			}
+		}
+		pclose(in);
+	}
+
+	if (retval != SUCCESS) {
+		php_security_log(S_FILES, "fileupload verification script disallows file - file dropped");
+		return FAILURE;
+	}
+
+	VARFILTER_G(cur_uploads)++;
+	return SUCCESS;
+}
+/* }}} */
+
+/* {{{ SAPI_INPUT_FILTER_FUNC
+ */
+SAPI_INPUT_FILTER_FUNC(varfilter_input_filter)
+{
+	char *index, *prev_index = NULL;
+	unsigned int var_len, total_len, depth = 0;
+
+	/* Drop this variable if the limit was reached */
+        switch (arg) {
+            case PARSE_GET:
+                        if (VARFILTER_G(no_more_get_variables)) {
+                                return 0;
+                        }
+                        break;
+            case PARSE_POST:
+                        if (VARFILTER_G(no_more_post_variables)) {
+                                return 0;
+                        }
+                        break;
+            case PARSE_COOKIE:
+                        if (VARFILTER_G(no_more_cookie_variables)) {
+                                return 0;
+                        }
+                        break;
+            default:    /* we do not want to protect parse_str() and friends */
+	                if (new_val_len) {
+		                *new_val_len = val_len;
+	                }
+                        return 1;
+        }
+        if (VARFILTER_G(no_more_variables)) {
+                return 0;
+        }
+        
+        /* Drop this variable if the limit is now reached */
+	if (VARFILTER_G(max_request_variables) && VARFILTER_G(max_request_variables) <= VARFILTER_G(cur_request_variables)) {
+		php_security_log(S_VARS, "configured request variable limit exceeded - dropped %s", var);
+                VARFILTER_G(no_more_variables) = 1;
+		return 0;
+	}
+	switch (arg) {
+	    case PARSE_GET:
+			if (VARFILTER_G(max_get_vars) && VARFILTER_G(max_get_vars) <= VARFILTER_G(cur_get_vars)) {
+				php_security_log(S_VARS, "configured GET variable limit exceeded - dropped %s", var);
+                                VARFILTER_G(no_more_get_variables) = 1;
+				return 0;
+			}
+			break;
+	    case PARSE_COOKIE:
+			if (VARFILTER_G(max_cookie_vars) && VARFILTER_G(max_cookie_vars) <= VARFILTER_G(cur_cookie_vars)) {
+				php_security_log(S_VARS, "configured COOKIE variable limit exceeded - dropped %s", var);
+                                VARFILTER_G(no_more_cookie_variables) = 1;
+				return 0;
+			}
+			break;
+	    case PARSE_POST:
+			if (VARFILTER_G(max_post_vars) && VARFILTER_G(max_post_vars) <= VARFILTER_G(cur_post_vars)) {
+				php_security_log(S_VARS, "configured POST variable limit exceeded - dropped %s", var);
+                                VARFILTER_G(no_more_post_variables) = 1;
+                                return 0;
+			}
+			break;
+	}
+	
+	
+	/* Drop this variable if it exceeds the value length limit */
+	if (VARFILTER_G(max_value_length) && VARFILTER_G(max_value_length) < val_len) {
+		php_security_log(S_VARS, "configured request variable value length limit exceeded - dropped %s", var);
+		return 0;
+	}
+	switch (arg) {
+	    case PARSE_GET:
+			if (VARFILTER_G(max_get_value_length) && VARFILTER_G(max_get_value_length) < val_len) {
+				php_security_log(S_VARS, "configured GET variable value length limit exceeded - dropped %s", var);
+				return 0;
+			}
+			break;
+	    case PARSE_COOKIE:
+			if (VARFILTER_G(max_cookie_value_length) && VARFILTER_G(max_cookie_value_length) < val_len) {
+				php_security_log(S_VARS, "configured COOKIE variable value length limit exceeded - dropped %s", var);
+				return 0;
+			}
+			break;
+	    case PARSE_POST:
+			if (VARFILTER_G(max_post_value_length) && VARFILTER_G(max_post_value_length) < val_len) {
+				php_security_log(S_VARS, "configured POST variable value length limit exceeded - dropped %s", var);
+				return 0;
+			}
+			break;
+	}
+	
+	/* Normalize the variable name */
+	normalize_varname(var);
+	
+	/* Find length of variable name */
+	index = strchr(var, '[');
+	total_len = strlen(var);
+	var_len = index ? index-var : total_len;
+	
+	/* Drop this variable if it exceeds the varname/total length limit */
+	if (VARFILTER_G(max_varname_length) && VARFILTER_G(max_varname_length) < var_len) {
+		php_security_log(S_VARS, "configured request variable name length limit exceeded - dropped %s", var);
+		return 0;
+	}
+	if (VARFILTER_G(max_totalname_length) && VARFILTER_G(max_totalname_length) < total_len) {
+		php_security_log(S_VARS, "configured request variable total name length limit exceeded - dropped %s", var);
+		return 0;
+	}
+	switch (arg) {
+	    case PARSE_GET:
+			if (VARFILTER_G(max_get_name_length) && VARFILTER_G(max_get_name_length) < var_len) {
+				php_security_log(S_VARS, "configured GET variable name length limit exceeded - dropped %s", var);
+				return 0;
+			}
+			if (VARFILTER_G(max_get_totalname_length) && VARFILTER_G(max_get_totalname_length) < var_len) {
+				php_security_log(S_VARS, "configured GET variable total name length limit exceeded - dropped %s", var);
+				return 0;
+			}
+			break;
+	    case PARSE_COOKIE:
+			if (VARFILTER_G(max_cookie_name_length) && VARFILTER_G(max_cookie_name_length) < var_len) {
+				php_security_log(S_VARS, "configured COOKIE variable name length limit exceeded - dropped %s", var);
+				return 0;
+			}
+			if (VARFILTER_G(max_cookie_totalname_length) && VARFILTER_G(max_cookie_totalname_length) < var_len) {
+				php_security_log(S_VARS, "configured COOKIE variable total name length limit exceeded - dropped %s", var);
+				return 0;
+			}
+			break;
+	    case PARSE_POST:
+			if (VARFILTER_G(max_post_name_length) && VARFILTER_G(max_post_name_length) < var_len) {
+				php_security_log(S_VARS, "configured POST variable name length limit exceeded - dropped %s", var);
+				return 0;
+			}
+			if (VARFILTER_G(max_post_totalname_length) && VARFILTER_G(max_post_totalname_length) < var_len) {
+				php_security_log(S_VARS, "configured POST variable total name length limit exceeded - dropped %s", var);
+				return 0;
+			}
+			break;
+	}
+	
+	/* Find out array depth */
+	while (index) {
+		unsigned int index_length;
+		
+		depth++;
+		index = strchr(index+1, '[');
+		
+		if (prev_index) {
+			index_length = index ? index - 1 - prev_index - 1: strlen(prev_index);
+			
+			if (VARFILTER_G(max_array_index_length) && VARFILTER_G(max_array_index_length) < index_length) {
+				php_security_log(S_VARS, "configured request variable array index length limit exceeded - dropped %s", var);
+				return 0;
+			} 
+			switch (arg) {
+			    case PARSE_GET:
+					if (VARFILTER_G(max_get_array_index_length) && VARFILTER_G(max_get_array_index_length) < index_length) {
+						php_security_log(S_VARS, "configured GET variable array index length limit exceeded - dropped %s", var);
+						return 0;
+					} 
+					break;
+			    case PARSE_COOKIE:
+					if (VARFILTER_G(max_cookie_array_index_length) && VARFILTER_G(max_cookie_array_index_length) < index_length) {
+						php_security_log(S_VARS, "configured COOKIE variable array index length limit exceeded - dropped %s", var);
+						return 0;
+					} 
+					break;
+			    case PARSE_POST:
+					if (VARFILTER_G(max_post_array_index_length) && VARFILTER_G(max_post_array_index_length) < index_length) {
+						php_security_log(S_VARS, "configured POST variable array index length limit exceeded - dropped %s", var);
+						return 0;
+					} 
+					break;
+			}
+			prev_index = index;
+		}
+		
+	}
+	
+	/* Drop this variable if it exceeds the array depth limit */
+	if (VARFILTER_G(max_array_depth) && VARFILTER_G(max_array_depth) < depth) {
+		php_security_log(S_VARS, "configured request variable array depth limit exceeded - dropped %s", var);
+		return 0;
+	}
+	switch (arg) {
+	    case PARSE_GET:
+			if (VARFILTER_G(max_get_array_depth) && VARFILTER_G(max_get_array_depth) < depth) {
+				php_security_log(S_VARS, "configured GET variable array depth limit exceeded - dropped %s", var);
+				return 0;
+			}
+			break;
+	    case PARSE_COOKIE:
+			if (VARFILTER_G(max_cookie_array_depth) && VARFILTER_G(max_cookie_array_depth) < depth) {
+				php_security_log(S_VARS, "configured COOKIE variable array depth limit exceeded - dropped %s", var);
+				return 0;
+			}
+			break;
+	    case PARSE_POST:
+			if (VARFILTER_G(max_post_array_depth) && VARFILTER_G(max_post_array_depth) < depth) {
+				php_security_log(S_VARS, "configured POST variable array depth limit exceeded - dropped %s", var);
+				return 0;
+			}
+			break;
+	}
+
+	/* Check if variable value is truncated by a \0 */
+	
+	if (val && *val && val_len != strlen(*val)) {
+	
+		if (VARFILTER_G(disallow_nul)) {
+			php_security_log(S_VARS, "ASCII-NUL chars not allowed within request variables - dropped %s", var);
+			return 0;
+		}
+		switch (arg) {
+		    case PARSE_GET:
+				if (VARFILTER_G(disallow_get_nul)) {
+					php_security_log(S_VARS, "ASCII-NUL chars not allowed within GET variables - dropped %s", var);
+					return 0;
+				}
+				break;
+		    case PARSE_COOKIE:
+				if (VARFILTER_G(disallow_cookie_nul)) {
+					php_security_log(S_VARS, "ASCII-NUL chars not allowed within COOKIE variables - dropped %s", var);
+					return 0;
+				}
+				break;
+		    case PARSE_POST:
+				if (VARFILTER_G(disallow_post_nul)) {
+					php_security_log(S_VARS, "ASCII-NUL chars not allowed within POST variables - dropped %s", var);
+					return 0;
+				}
+				break;
+		}
+	}
+	
+	/* Drop this variable if it is one of GLOBALS, _GET, _POST, ... */
+	/* This is to protect several silly scripts that do globalizing themself */
+	
+	switch (var_len) {
+	    case 18:
+		if (memcmp(var, "HTTP_RAW_POST_DATA", 18)==0) goto protected_varname;
+		break;
+	    case 17:
+		if (memcmp(var, "HTTP_SESSION_VARS", 17)==0) goto protected_varname;
+		break;
+	    case 16:
+		if (memcmp(var, "HTTP_SERVER_VARS", 16)==0) goto protected_varname;
+		if (memcmp(var, "HTTP_COOKIE_VARS", 16)==0) goto protected_varname;
+		break;
+	    case 15:
+		if (memcmp(var, "HTTP_POST_FILES", 15)==0) goto protected_varname;
+		break;
+	    case 14:
+		if (memcmp(var, "HTTP_POST_VARS", 14)==0) goto protected_varname;
+		break;
+	    case 13:
+		if (memcmp(var, "HTTP_GET_VARS", 13)==0) goto protected_varname;
+		if (memcmp(var, "HTTP_ENV_VARS", 13)==0) goto protected_varname;
+		break;
+	    case 8:
+		if (memcmp(var, "_SESSION", 8)==0) goto protected_varname;
+		if (memcmp(var, "_REQUEST", 8)==0) goto protected_varname;
+		break;
+	    case 7:
+		if (memcmp(var, "GLOBALS", 7)==0) goto protected_varname;
+		if (memcmp(var, "_COOKIE", 7)==0) goto protected_varname;
+		if (memcmp(var, "_SERVER", 7)==0) goto protected_varname;
+		break;
+	    case 6:
+		if (memcmp(var, "_FILES", 6)==0) goto protected_varname;
+		break;
+	    case 5:
+		if (memcmp(var, "_POST", 5)==0) goto protected_varname;
+		break;
+	    case 4:
+		if (memcmp(var, "_ENV", 4)==0) goto protected_varname;
+		if (memcmp(var, "_GET", 4)==0) goto protected_varname;
+		break;
+	}
+
+	/* Okay let PHP register this variable */
+	VARFILTER_G(cur_request_variables)++;
+	switch (arg) {
+	    case PARSE_GET:
+			VARFILTER_G(cur_get_vars)++;
+			break;
+	    case PARSE_COOKIE:
+			VARFILTER_G(cur_cookie_vars)++;
+			break;
+	    case PARSE_POST:
+			VARFILTER_G(cur_post_vars)++;
+			break;
+	}
+	
+	if (new_val_len) {
+		*new_val_len = val_len;
+	}
+
+	return 1;
+protected_varname:
+	php_security_log(S_VARS, "tried to register forbidden variable '%s' through %s variables", var, arg == PARSE_GET ? "GET" : arg == PARSE_POST ? "POST" : "COOKIE");
+	return 0;	
+}
+/* }}} */
+
+/*
+ * Local variables:
+ * tab-width: 4
+ * c-basic-offset: 4
+ * End:
+ * vim600: noet sw=4 ts=4 fdm=marker
+ * vim<600: noet sw=4 ts=4
+ */
+
+
diff -Nura php-5.1.4/ext/wddx/wddx.c hardening-patch-5.1.4-0.4.15/ext/wddx/wddx.c
--- php-5.1.4/ext/wddx/wddx.c	2006-04-23 18:02:05.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/ext/wddx/wddx.c	2006-09-05 20:31:04.000000000 +0200
@@ -399,9 +399,9 @@
 					break;
 
 				default:
-					if (iscntrl((int)*(unsigned char *)p)) {
+					if (iscntrl((int)*(unsigned char *)p)||(int)*(unsigned char *)p >= 127) {
 						FLUSH_BUF();
-						sprintf(control_buf, WDDX_CHAR, *p);
+						sprintf(control_buf, WDDX_CHAR, (int)*(unsigned char *)p);
 						php_wddx_add_chunk(packet, control_buf);
 					} else
 						buf[l++] = *p;
@@ -751,7 +751,7 @@
 	} else if (!strcmp(name, EL_CHAR)) {
 		int i;
 		
-		for (i = 0; atts[i]; i++) {
+		if (atts) for (i = 0; atts[i]; i++) {
 			if (!strcmp(atts[i], EL_CHAR_CODE) && atts[++i] && atts[i][0]) {
 				char tmp_buf[2];
 
@@ -771,7 +771,7 @@
 	} else if (!strcmp(name, EL_BOOLEAN)) {
 		int i;
 
-		for (i = 0; atts[i]; i++) {
+		if (atts) for (i = 0; atts[i]; i++) {
 			if (!strcmp(atts[i], EL_VALUE) && atts[++i] && atts[i][0]) {
 				ent.type = ST_BOOLEAN;
 				SET_STACK_VARNAME;
@@ -812,7 +812,7 @@
 	} else if (!strcmp(name, EL_VAR)) {
 		int i;
 		
-		for (i = 0; atts[i]; i++) {
+		if (atts) for (i = 0; atts[i]; i++) {
 			if (!strcmp(atts[i], EL_NAME) && atts[++i] && atts[i][0]) {
 				char *decoded;
 				int decoded_len;
@@ -829,7 +829,7 @@
 		MAKE_STD_ZVAL(ent.data);
 		array_init(ent.data);
 
-		for (i = 0; atts[i]; i++) {
+		if (atts) for (i = 0; atts[i]; i++) {
 			if (!strcmp(atts[i], "fieldNames") && atts[++i] && atts[i][0]) {
 				zval *tmp;
 				char *key;
@@ -869,7 +869,7 @@
 		ent.varname = NULL;
 		ent.data = NULL;
 
-		for (i = 0; atts[i]; i++) {
+		if (atts) for (i = 0; atts[i]; i++) {
 			if (!strcmp(atts[i], EL_NAME) && atts[++i] && atts[i][0]) {
 				char *decoded;
 				int decoded_len;
diff -Nura php-5.1.4/main/fopen_wrappers.c hardening-patch-5.1.4-0.4.15/main/fopen_wrappers.c
--- php-5.1.4/main/fopen_wrappers.c	2006-03-17 11:42:31.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/main/fopen_wrappers.c	2006-09-07 18:53:55.000000000 +0200
@@ -104,7 +104,10 @@
 	}
 
 	/* Resolve the real path into resolved_name */
-	if ((expand_filepath(path, resolved_name TSRMLS_CC) != NULL) && (expand_filepath(local_open_basedir, resolved_basedir TSRMLS_CC) != NULL)) {
+	if (expand_filepath(path, resolved_name TSRMLS_CC) == NULL) {
+		return -2;
+	}
+	if (expand_filepath(local_open_basedir, resolved_basedir TSRMLS_CC) != NULL) {
 		/* Handler for basedirs that end with a / */
 		resolved_basedir_len = strlen(resolved_basedir);
 		if (basedir[strlen(basedir) - 1] == PHP_DIR_SEPARATOR) {
@@ -114,14 +117,20 @@
 			}
 		}
 
+		resolved_name_len = strlen(resolved_name);
 		if (path[strlen(path)-1] == PHP_DIR_SEPARATOR) {
-			resolved_name_len = strlen(resolved_name);
 			if (resolved_name[resolved_name_len - 1] != PHP_DIR_SEPARATOR) {
 				resolved_name[resolved_name_len] = PHP_DIR_SEPARATOR;
 				resolved_name[++resolved_name_len] = '\0';
 			}
 		}
 
+		if (resolved_name_len == resolved_basedir_len - 1) {
+			if (resolved_basedir[resolved_basedir_len - 1] == PHP_DIR_SEPARATOR) {
+				resolved_basedir_len--;
+			}
+		}
+
 		/* Check the path */
 #if defined(PHP_WIN32) || defined(NETWARE)
 		if (strncasecmp(resolved_basedir, resolved_name, resolved_basedir_len) == 0) {
@@ -135,7 +144,7 @@
 		}
 	} else {
 		/* Unable to resolve the real path, return -1 */
-		return -1;
+		return -3;
 	}
 }
 /* }}} */
@@ -154,22 +163,44 @@
 		char *pathbuf;
 		char *ptr;
 		char *end;
+		char path_copy[MAXPATHLEN];
+		int path_len;
+
+		/* Special case path ends with a trailing slash */
+		path_len = strlen(path);
+		if (path_len >= MAXPATHLEN) {
+			errno = EPERM; /* we deny permission to open it */
+			return -1;
+		}
+		if (path_len > 0 && path[path_len-1] == PHP_DIR_SEPARATOR) {
+			memcpy(path_copy, path, path_len+1);
+			while (path_len > 0 && path_copy[path_len-1] == PHP_DIR_SEPARATOR) path_len--;
+			path_copy[path_len] = '\0';
+			path = (const char *)&path_copy;
+		}
 
 		pathbuf = estrdup(PG(open_basedir));
 
 		ptr = pathbuf;
 
 		while (ptr && *ptr) {
+			int res;
 			end = strchr(ptr, DEFAULT_DIR_SEPARATOR);
 			if (end != NULL) {
 				*end = '\0';
 				end++;
 			}
 
-			if (php_check_specific_open_basedir(ptr, path TSRMLS_CC) == 0) {
+			res = php_check_specific_open_basedir(ptr, path TSRMLS_CC);
+			if (res == 0) {
 				efree(pathbuf);
 				return 0;
 			}
+			if (res == -2) {
+				efree(pathbuf);
+				errno = EPERM;
+				return -1;
+			}
 
 			ptr = end;
 		}
diff -Nura php-5.1.4/main/hardened_globals.h hardening-patch-5.1.4-0.4.15/main/hardened_globals.h
--- php-5.1.4/main/hardened_globals.h	1970-01-01 01:00:00.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/main/hardened_globals.h	2006-09-05 20:31:05.000000000 +0200
@@ -0,0 +1,64 @@
+/*
+   +----------------------------------------------------------------------+
+   | Hardening-Patch for PHP                                              |
+   +----------------------------------------------------------------------+
+   | Copyright (c) 2004-2005 Stefan Esser                                 |
+   +----------------------------------------------------------------------+
+   | This source file is subject to version 2.02 of the PHP license,      |
+   | that is bundled with this package in the file LICENSE, and is        |
+   | available at through the world-wide-web at                           |
+   | http://www.php.net/license/2_02.txt.                                 |
+   | If you did not receive a copy of the PHP license and are unable to   |
+   | obtain it through the world-wide-web, please send a note to          |
+   | license@php.net so we can mail you a copy immediately.               |
+   +----------------------------------------------------------------------+
+   | Author: Stefan Esser <sesser@hardened-php.net>                       |
+   +----------------------------------------------------------------------+
+ */
+
+#ifndef HARDENED_GLOBALS_H
+#define HARDENED_GLOBALS_H
+
+typedef struct _hardened_globals hardened_globals_struct;
+
+#ifdef ZTS
+# define HG(v) TSRMG(hardened_globals_id, hardened_globals_struct *, v)
+extern int hardened_globals_id;
+#else
+# define HG(v) (hardened_globals.v)
+extern struct _hardened_globals hardened_globals;
+#endif
+
+
+struct _hardened_globals {
+#if HARDENING_PATCH_MM_PROTECT
+	unsigned int canary_1;
+	unsigned int canary_2;
+#endif
+#if HARDENING_PATCH_LL_PROTECT
+	unsigned int canary_3;
+	unsigned int canary_4;
+	unsigned int ll_canary_inited;
+#endif
+	zend_bool hphp_sql_bailout_on_error;
+	zend_bool hphp_multiheader;
+	unsigned long hphp_mailprotect;
+	long hard_memory_limit;
+	HashTable *eval_whitelist;
+	HashTable *eval_blacklist;
+	HashTable *func_whitelist;
+	HashTable *func_blacklist;
+	HashTable *include_whitelist;
+	HashTable *include_blacklist;
+	unsigned int dummy;
+};
+
+
+#endif /* HARDENED_GLOBALS_H */
+
+/*
+ * Local variables:
+ * tab-width: 4
+ * c-basic-offset: 4
+ * End:
+ */
diff -Nura php-5.1.4/main/hardening_patch.c hardening-patch-5.1.4-0.4.15/main/hardening_patch.c
--- php-5.1.4/main/hardening_patch.c	1970-01-01 01:00:00.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/main/hardening_patch.c	2006-09-05 20:31:05.000000000 +0200
@@ -0,0 +1,430 @@
+/*
+   +----------------------------------------------------------------------+
+   | Hardening Patch for PHP                                              |
+   +----------------------------------------------------------------------+
+   | Copyright (c) 2004-2005 Stefan Esser                                 |
+   +----------------------------------------------------------------------+
+   | This source file is subject to version 2.02 of the PHP license,      |
+   | that is bundled with this package in the file LICENSE, and is        |
+   | available at through the world-wide-web at                           |
+   | http://www.php.net/license/2_02.txt.                                 |
+   | If you did not receive a copy of the PHP license and are unable to   |
+   | obtain it through the world-wide-web, please send a note to          |
+   | license@php.net so we can mail you a copy immediately.               |
+   +----------------------------------------------------------------------+
+   | Author: Stefan Esser <sesser@hardened-php.net>                       |
+   +----------------------------------------------------------------------+
+ */
+/* $Id: hardening_patch.c,v 1.2 2004/11/21 09:38:52 ionic Exp $ */
+
+#include "php.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#if HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#include "SAPI.h"
+#include "php_globals.h"
+
+#if HARDENING_PATCH
+
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+
+#if defined(PHP_WIN32) || defined(__riscos__) || defined(NETWARE)
+#undef AF_UNIX
+#endif
+
+#if defined(AF_UNIX)
+#include <sys/un.h>
+#endif
+
+#define SYSLOG_PATH  "/dev/log"
+
+#include "snprintf.h"
+
+#include "hardening_patch.h"
+
+#ifdef ZTS
+#include "hardened_globals.h"
+int hardened_globals_id;
+#else
+struct _hardened_globals hardened_globals;
+#endif
+
+static void hardened_globals_ctor(hardened_globals_struct *hardened_globals TSRMLS_DC)
+{
+	memset(hardened_globals, 0, sizeof(*hardened_globals));
+}
+
+
+PHPAPI void hardened_startup()
+{
+#ifdef ZTS
+	ts_allocate_id(&hardened_globals_id, sizeof(hardened_globals_struct), (ts_allocate_ctor) hardened_globals_ctor, NULL);
+#else
+	hardened_globals_ctor(&hardened_globals TSRMLS_CC);
+#endif
+}
+
+PHPAPI void hardened_clear_mm_canaries(TSRMLS_D)
+{
+	HG(canary_1) = php_canary();
+	HG(canary_2) = php_canary();
+}
+
+char *loglevel2string(int loglevel)
+{
+	switch (loglevel) {
+	    case S_FILES:
+		return "FILES";
+	    case S_INCLUDE:
+		return "INCLUDE";
+	    case S_MEMORY:
+		return "MEMORY";
+	    case S_MISC:
+		return "MISC";
+	    case S_SQL:
+		return "SQL";
+	    case S_EXECUTOR:
+		return "EXECUTOR";
+	    case S_VARS:
+		return "VARS";
+	    default:
+		return "UNKNOWN";    
+	}
+}
+
+PHPAPI void php_security_log(int loglevel, char *fmt, ...)
+{
+#if defined(AF_UNIX)
+	int s, r, i=0;
+	struct sockaddr_un saun;
+	char buf[4096+64];
+	char error[4096+100];
+	char *ip_address;
+	char *fname;
+	int lineno;
+	va_list ap;
+	TSRMLS_FETCH();
+	
+	if (EG(hphp_log_use_x_forwarded_for)) {
+		ip_address = sapi_getenv("HTTP_X_FORWARDED_FOR", 20 TSRMLS_CC);
+		if (ip_address == NULL) {
+			ip_address = "X-FORWARDED-FOR not set";
+		}
+	} else {
+		ip_address = sapi_getenv("REMOTE_ADDR", 11 TSRMLS_CC);
+		if (ip_address == NULL) {
+			ip_address = "REMOTE_ADDR not set";
+		}
+	}
+	
+	
+	va_start(ap, fmt);
+	ap_php_vsnprintf(error, sizeof(error), fmt, ap);
+	va_end(ap);
+	while (error[i]) {
+		if (error[i] < 32) error[i] = '.';
+		i++;
+	}
+	
+	if (zend_is_executing(TSRMLS_C)) {
+		lineno = zend_get_executed_lineno(TSRMLS_C);
+		fname = zend_get_executed_filename(TSRMLS_C);
+		ap_php_snprintf(buf, sizeof(buf), "ALERT - %s (attacker '%s', file '%s', line %u)", error, ip_address, fname, lineno);
+	} else {
+		fname = sapi_getenv("SCRIPT_FILENAME", 15 TSRMLS_CC);
+		if (fname==NULL) {
+			fname = "unknown";
+		}
+		ap_php_snprintf(buf, sizeof(buf), "ALERT - %s (attacker '%s', file '%s')", error, ip_address, fname);
+	}
+			
+	/* Syslog-Logging disabled? */
+	if ((EG(hphp_log_syslog) & loglevel)==0) {
+		goto log_sapi;
+	}	
+	
+	ap_php_snprintf(error, sizeof(error), "<%u>hphp[%u]: %s\n", EG(hphp_log_syslog_facility)|EG(hphp_log_syslog_priority),getpid(),buf);
+
+	s = socket(AF_UNIX, SOCK_DGRAM, 0);
+	if (s == -1) {
+		goto log_sapi;
+	}
+	
+	memset(&saun, 0, sizeof(saun));
+	saun.sun_family = AF_UNIX;
+	strcpy(saun.sun_path, SYSLOG_PATH);
+	/*saun.sun_len = sizeof(saun);*/
+	
+	r = connect(s, (struct sockaddr *)&saun, sizeof(saun));
+	if (r) {
+		close(s);
+    		s = socket(AF_UNIX, SOCK_STREAM, 0);
+		if (s == -1) {
+			goto log_sapi;
+		}
+	
+		memset(&saun, 0, sizeof(saun));
+		saun.sun_family = AF_UNIX;
+		strcpy(saun.sun_path, SYSLOG_PATH);
+		/*saun.sun_len = sizeof(saun);*/
+
+		r = connect(s, (struct sockaddr *)&saun, sizeof(saun));
+		if (r) { 
+			close(s);
+			goto log_sapi;
+		}
+	}
+	send(s, error, strlen(error), 0);
+	
+	close(s);
+
+log_sapi:
+	/* SAPI Logging activated? */
+	if ((EG(hphp_log_sapi) & loglevel)!=0) {
+		sapi_module.log_message(buf);
+	}
+
+log_script:
+	/* script logging activaed? */
+	if (((EG(hphp_log_script) & loglevel)!=0) && EG(hphp_log_scriptname)!=NULL) {
+		char cmd[8192], *cmdpos, *bufpos;
+		FILE *in;
+		int space;
+		
+		ap_php_snprintf(cmd, sizeof(cmd), "%s %s \'", EG(hphp_log_scriptname), loglevel2string(loglevel));
+		space = sizeof(cmd) - strlen(cmd);
+		cmdpos = cmd + strlen(cmd);
+		bufpos = buf;
+		if (space <= 1) return;
+		while (space > 2 && *bufpos) {
+			if (*bufpos == '\'') {
+				if (space<=5) break;
+				*cmdpos++ = '\'';
+				*cmdpos++ = '\\';
+				*cmdpos++ = '\'';
+				*cmdpos++ = '\'';
+				bufpos++;
+				space-=4;
+			} else {
+				*cmdpos++ = *bufpos++;
+				space--;
+			}
+		}
+		*cmdpos++ = '\'';
+		*cmdpos = 0;
+		
+		if ((in=VCWD_POPEN(cmd, "r"))==NULL) {
+			php_security_log(S_INTERNAL, "Unable to execute logging shell script: %s", EG(hphp_log_scriptname));
+			return;
+		}
+		/* read and forget the result */
+		while (1) {
+			int readbytes = fread(cmd, 1, sizeof(cmd), in);
+			if (readbytes<=0) {
+				break;
+			}
+		}
+		pclose(in);
+	}
+
+#endif
+}
+#endif
+
+#if HARDENING_PATCH_MM_PROTECT || HARDENING_PATCH_LL_PROTECT || HARDENING_PATCH_HASH_PROTECT
+
+/* will be replaced later with more compatible method */
+PHPAPI unsigned int php_canary()
+{
+	time_t t;
+	unsigned int canary;
+	int fd;
+	
+	fd = open("/dev/urandom", 0);
+	if (fd != -1) {
+		int r = read(fd, &canary, sizeof(canary));
+		close(fd);
+		if (r == sizeof(canary)) {
+			return (canary);
+		}
+	}
+	/* not good but we never want to do this */
+	time(&t);
+	canary = *(unsigned int *)&t + getpid() << 16;
+	return (canary);
+}
+#endif
+
+#if HARDENING_PATCH_INC_PROTECT
+
+PHPAPI int php_is_valid_include(zval *z)
+{
+	char *filename;
+	int len, i;
+	TSRMLS_FETCH();
+	
+	/* must be of type string */
+	if (z->type != IS_STRING || z->value.str.val == NULL) {
+		return (0);
+	}
+	
+	/* short cut */
+	filename = z->value.str.val;
+	len = z->value.str.len;
+	
+	/* 1. must be shorter than MAXPATHLEN */
+	if (len > MAXPATHLEN) {
+		char *fname = estrndup(filename, len);
+		for (i=0; i < len; i++) if (fname[i] < 32) fname[i]='.';
+		php_security_log(S_INCLUDE, "Include filename ('%s') longer than MAXPATHLEN chars", fname);
+		efree(fname);
+		return (0);
+	}
+	
+	/* 2. must not be cutted */
+	if (len != strlen(filename)) {
+		char *fname = estrndup(filename, len);
+		for (i=0; fname[i]; i++) if (fname[i] < 32) fname[i]='.';
+		php_security_log(S_INCLUDE, "Include filename truncated by a \\0 after '%s'", fname);
+		efree(fname);
+		return (0);
+	}
+	
+	/* 3. when it is an URL first check black/whitelist if both are empty disallow all URLs */
+	if (strstr(filename, "://")) {
+		char *fname = estrndup(filename, len);
+		for (i=0; i < len; i++) if (fname[i] < 32) fname[i]='.';
+	
+		/* no black or whitelist then disallow all */
+		if (HG(include_whitelist)==NULL && HG(include_blacklist)==NULL) {
+			php_security_log(S_INCLUDE, "Include filename ('%s') is an URL", fname);
+			efree(fname);
+			return (0);
+		}
+		
+		/* whitelist is stronger than blacklist */
+		if (HG(include_whitelist)) {
+			char *s, *t, *h, *index;
+			uint indexlen;
+			ulong numindex;
+
+			s = filename;
+			
+			do {
+				zend_bool isOk = 0;
+				int tlen;
+				
+				t = h = strstr(s, "://");
+				if (h == NULL) break;
+				
+				
+				while (t > s && (isalnum(t[-1]) || t[-1]=='_')) {
+					t--;
+				}
+				
+				tlen = strlen(t);
+								
+				zend_hash_internal_pointer_reset(HG(include_whitelist));
+				do {
+					int r = zend_hash_get_current_key_ex(HG(include_whitelist), &index, &indexlen, &numindex, 0, NULL);
+					
+					if (r==HASH_KEY_NON_EXISTANT) {
+						break;
+					}
+					if (r==HASH_KEY_IS_STRING) {
+						if (h-t <= indexlen-1 && tlen>=indexlen-1) {
+							if (strncmp(t, index, indexlen-1)==0) {
+								isOk = 1;
+								break;
+							}
+						}
+					}
+					
+					zend_hash_move_forward(HG(include_whitelist));
+				} while (1);
+				
+				/* not found in whitelist */
+				if (!isOk) {
+					php_security_log(S_INCLUDE, "Include filename ('%s') is an URL that is not allowed in whitelist", fname);
+					efree(fname);
+					return 0;
+				}
+				
+				s = h + 3;
+			} while (1);
+		} else {
+			/* okay then handle the blacklist */
+			char *s, *t, *h, *index;
+			uint indexlen;
+			ulong numindex;
+
+			s = filename;
+			
+			do {
+				int tlen;
+				
+				t = h = strstr(s, "://");
+				if (h == NULL) break;
+				
+				
+				while (t > s && (isalnum(t[-1]) || t[-1]=='_')) {
+					t--;
+				}
+				
+				tlen = strlen(t);
+								
+				zend_hash_internal_pointer_reset(HG(include_blacklist));
+				do {
+					int r = zend_hash_get_current_key_ex(HG(include_blacklist), &index, &indexlen, &numindex, 0, NULL);
+					
+					if (r==HASH_KEY_NON_EXISTANT) {
+						break;
+					}
+					if (r==HASH_KEY_IS_STRING) {
+						if (h-t <= indexlen-1 && tlen>=indexlen-1) {
+							if (strncmp(t, index, indexlen-1)==0) {
+								php_security_log(S_INCLUDE, "Include filename ('%s') is an URL that is forbidden by the blacklist", fname);
+								efree(fname);
+								return 0;
+							}
+						}
+					}
+					
+					zend_hash_move_forward(HG(include_blacklist));
+				} while (1);
+				
+				s = h + 3;
+			} while (1);
+		}
+		
+		efree(fname);
+	}
+	
+	/* 4. must not be an uploaded file */
+	if (SG(rfc1867_uploaded_files)) {
+		if (zend_hash_exists(SG(rfc1867_uploaded_files), (char *) filename, len+1)) {
+			php_security_log(S_INCLUDE, "Include filename is an uploaded file");
+			return (0);
+		}
+	}
+	
+	/* passed all tests */
+	return (1);
+}
+
+#endif
+
+/*
+ * Local variables:
+ * tab-width: 4
+ * c-basic-offset: 4
+ * End:
+ * vim600: sw=4 ts=4 fdm=marker
+ * vim<600: sw=4 ts=4
+ */
diff -Nura php-5.1.4/main/hardening_patch.h hardening-patch-5.1.4-0.4.15/main/hardening_patch.h
--- php-5.1.4/main/hardening_patch.h	1970-01-01 01:00:00.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/main/hardening_patch.h	2006-09-07 18:51:30.000000000 +0200
@@ -0,0 +1,46 @@
+/*
+   +----------------------------------------------------------------------+
+   | Hardening Patch for PHP                                              |
+   +----------------------------------------------------------------------+
+   | Copyright (c) 2004-2005 Stefan Esser                                 |
+   +----------------------------------------------------------------------+
+   | This source file is subject to version 2.02 of the PHP license,      |
+   | that is bundled with this package in the file LICENSE, and is        |
+   | available at through the world-wide-web at                           |
+   | http://www.php.net/license/2_02.txt.                                 |
+   | If you did not receive a copy of the PHP license and are unable to   |
+   | obtain it through the world-wide-web, please send a note to          |
+   | license@php.net so we can mail you a copy immediately.               |
+   +----------------------------------------------------------------------+
+   | Author: Stefan Esser <sesser@hardened-php.net>                       |
+   +----------------------------------------------------------------------+
+ */
+
+#ifndef HARDENING_PATCH_H
+#define HARDENING_PATCH_H
+
+#include "zend.h"
+
+#if HARDENING_PATCH
+PHPAPI void php_security_log(int loglevel, char *fmt, ...);
+PHPAPI void hardened_startup();
+#define HARDENING_PATCH_VERSION "0.4.15"
+
+#endif
+
+#if HARDENING_PATCH_MM_PROTECT || HARDENING_PATCH_LL_PROTECT || HARDENING_PATCH_HASH_PROTECT
+PHPAPI unsigned int php_canary();
+#endif
+
+#if HARDENING_PATCH_INC_PROTECT
+PHPAPI int php_is_valid_include(zval *z);
+#endif
+
+#endif /* HARDENING_PATCH_H */
+
+/*
+ * Local variables:
+ * tab-width: 4
+ * c-basic-offset: 4
+ * End:
+ */
diff -Nura php-5.1.4/main/hardening_patch.m4 hardening-patch-5.1.4-0.4.15/main/hardening_patch.m4
--- php-5.1.4/main/hardening_patch.m4	1970-01-01 01:00:00.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/main/hardening_patch.m4	2006-09-05 20:31:05.000000000 +0200
@@ -0,0 +1,95 @@
+dnl
+dnl $Id: hardening_patch.m4,v 1.1 2004/11/14 13:24:24 ionic Exp $
+dnl
+dnl This file contains Hardening Patch for PHP specific autoconf functions.
+dnl
+
+AC_ARG_ENABLE(hardening-patch-mm-protect,
+[  --disable-hardening-patch-mm-protect    Disable the Memory Manager protection.],[
+  DO_HARDENING_PATCH_MM_PROTECT=$enableval
+],[
+  DO_HARDENING_PATCH_MM_PROTECT=yes
+])
+
+AC_ARG_ENABLE(hardening-patch-ll-protect,
+[  --disable-hardening-patch-ll-protect    Disable the Linked List protection.],[
+  DO_HARDENING_PATCH_LL_PROTECT=$enableval
+],[
+  DO_HARDENING_PATCH_LL_PROTECT=yes
+])
+
+AC_ARG_ENABLE(hardening-patch-inc-protect,
+[  --disable-hardening-patch-inc-protect   Disable include/require protection.],[
+  DO_HARDENING_PATCH_INC_PROTECT=$enableval
+],[
+  DO_HARDENING_PATCH_INC_PROTECT=yes
+])
+
+AC_ARG_ENABLE(hardening-patch-fmt-protect,
+[  --disable-hardening-patch-fmt-protect   Disable format string protection.],[
+  DO_HARDENING_PATCH_FMT_PROTECT=$enableval
+],[
+  DO_HARDENING_PATCH_FMT_PROTECT=yes
+])
+
+AC_ARG_ENABLE(hardening-patch-hash-protect,
+[  --disable-hardening-patch-hash-protect  Disable HashTable destructor protection.],[
+  DO_HARDENING_PATCH_HASH_PROTECT=$enableval
+],[
+  DO_HARDENING_PATCH_HASH_PROTECT=yes
+])
+
+AC_MSG_CHECKING(whether to protect the Zend Memory Manager)
+AC_MSG_RESULT($DO_HARDENING_PATCH_MM_PROTECT)
+
+AC_MSG_CHECKING(whether to protect the Zend Linked Lists)
+AC_MSG_RESULT($DO_HARDENING_PATCH_LL_PROTECT)
+
+AC_MSG_CHECKING(whether to protect include/require statements)
+AC_MSG_RESULT($DO_HARDENING_PATCH_INC_PROTECT)
+
+AC_MSG_CHECKING(whether to protect PHP Format String functions)
+AC_MSG_RESULT($DO_HARDENING_PATCH_FMT_PROTECT)
+
+AC_MSG_CHECKING(whether to protect the destructor of Zend HashTables)
+AC_MSG_RESULT($DO_HARDENING_PATCH_HASH_PROTECT)
+
+
+AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
+
+
+if test "$DO_HARDENING_PATCH_MM_PROTECT" = "yes"; then
+dnl  AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
+  AC_DEFINE(HARDENING_PATCH_MM_PROTECT, 1, [Memory Manager Protection])
+else
+  AC_DEFINE(HARDENING_PATCH_MM_PROTECT, 0, [Memory Manager Protection])
+fi
+
+if test "$DO_HARDENING_PATCH_LL_PROTECT" = "yes"; then
+dnl    AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
+  AC_DEFINE(HARDENING_PATCH_LL_PROTECT, 1, [Linked List Protection])
+else
+  AC_DEFINE(HARDENING_PATCH_LL_PROTECT, 0, [Linked List Protection])
+fi
+
+if test "$DO_HARDENING_PATCH_INC_PROTECT" = "yes"; then
+dnl    AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
+  AC_DEFINE(HARDENING_PATCH_INC_PROTECT, 1, [Include/Require Protection])
+else
+  AC_DEFINE(HARDENING_PATCH_INC_PROTECT, 0, [Include/Require Protection])
+fi
+
+if test "$DO_HARDENING_PATCH_FMT_PROTECT" = "yes"; then
+dnl    AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
+  AC_DEFINE(HARDENING_PATCH_FMT_PROTECT, 1, [Fmt String Protection])
+else
+  AC_DEFINE(HARDENING_PATCH_FMT_PROTECT, 0, [Fmt String Protection])
+fi
+
+if test "$DO_HARDENING_PATCH_HASH_PROTECT" = "yes"; then
+dnl    AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
+  AC_DEFINE(HARDENING_PATCH_HASH_PROTECT, 1, [HashTable DTOR Protection])
+else
+  AC_DEFINE(HARDENING_PATCH_HASH_PROTECT, 0, [HashTable DTOR Protection])
+fi
+
diff -Nura php-5.1.4/main/main.c hardening-patch-5.1.4-0.4.15/main/main.c
--- php-5.1.4/main/main.c	2006-04-12 14:49:39.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/main/main.c	2006-09-05 20:31:05.000000000 +0200
@@ -85,6 +85,10 @@
 
 #include "SAPI.h"
 #include "rfc1867.h"
+#if HARDENING_PATCH
+#include "hardened_globals.h"
+#endif
+
 /* }}} */
 
 #ifndef ZTS
@@ -109,17 +113,39 @@
  */
 static PHP_INI_MH(OnChangeMemoryLimit)
 {
+#if HARDENING_PATCH
+	long hard_memory_limit = 1<<30;
+	
+	if (stage == ZEND_INI_STAGE_RUNTIME) {
+		if (HG(hard_memory_limit) == 0) {
+			HG(hard_memory_limit) = PG(memory_limit);
+		}
+		hard_memory_limit = HG(hard_memory_limit);
+	} else {
+		HG(hard_memory_limit) = 0;
+	}
+#endif	
 	if (new_value) {
 		PG(memory_limit) = zend_atoi(new_value, new_value_length);
+#if HARDENING_PATCH
+		if (PG(memory_limit) > hard_memory_limit) {
+			PG(memory_limit) = hard_memory_limit;
+			php_security_log(S_MISC, "script tried to increase memory_limit above allowed value");
+			return FAILURE;
+		}
+#endif	
 	} else {
+#if HARDENING_PATCH
+		PG(memory_limit) = hard_memory_limit;
+#else
 		PG(memory_limit) = 1<<30;		/* effectively, no limit */
+#endif
 	}
 	return zend_set_memory_limit(PG(memory_limit));
 }
 /* }}} */
 #endif
 
-
 /* {{{ php_disable_functions
  */
 static void php_disable_functions(TSRMLS_D)
@@ -1095,6 +1121,13 @@
 			sapi_add_header(SAPI_PHP_VERSION_HEADER, sizeof(SAPI_PHP_VERSION_HEADER)-1, 1);
 		}
 
+		/* Disable realpath cache if safe_mode or open_basedir are set */
+		if (PG(safe_mode) || (PG(open_basedir) && *PG(open_basedir))) {
+			CWDG(realpath_cache_disable) = 1;
+		} else {
+			CWDG(realpath_cache_disable) = 0;
+		}
+
 		if (PG(output_handler) && PG(output_handler)[0]) {
 			php_start_ob_buffer_named(PG(output_handler), 0, 1 TSRMLS_CC);
 		} else if (PG(output_buffering)) {
@@ -1222,6 +1255,9 @@
 
 	zend_try {
 		shutdown_memory_manager(CG(unclean_shutdown), 0 TSRMLS_CC);
+#if HARDENING_PATCH
+		hardened_clear_mm_canaries(TSRMLS_C);
+#endif
 	} zend_end_try();
 
 	zend_try {
@@ -1393,6 +1429,10 @@
 	tsrm_ls = ts_resource(0);
 #endif
 
+#if HARDENING_PATCH
+	hardened_startup();
+#endif
+
 	module_shutdown = 0;
 	module_startup = 1;
 	sapi_initialize_empty_request(TSRMLS_C);
@@ -1406,6 +1446,12 @@
 
 	php_output_startup();
 
+#if HARDENING_PATCH_INC_PROTECT
+	zuf.is_valid_include = php_is_valid_include;
+#endif
+#if HARDENING_PATCH
+	zuf.security_log_function = php_security_log;
+#endif
 	zuf.error_function = php_error_cb;
 	zuf.printf_function = php_printf;
 	zuf.write_function = php_body_write_wrapper;
@@ -1476,7 +1522,9 @@
 
 	/* Disable realpath cache if safe_mode or open_basedir are set */
 	if (PG(safe_mode) || (PG(open_basedir) && *PG(open_basedir))) {
-		CWDG(realpath_cache_size_limit) = 0;
+		CWDG(realpath_cache_disable) = 1;
+	} else {
+		CWDG(realpath_cache_disable) = 0;
 	}
 
 	/* initialize stream wrappers registry
@@ -1517,6 +1565,10 @@
 	REGISTER_MAIN_STRINGL_CONSTANT("PHP_CONFIG_FILE_PATH", PHP_CONFIG_FILE_PATH, strlen(PHP_CONFIG_FILE_PATH), CONST_PERSISTENT | CONST_CS);
 	REGISTER_MAIN_STRINGL_CONSTANT("PHP_CONFIG_FILE_SCAN_DIR", PHP_CONFIG_FILE_SCAN_DIR, sizeof(PHP_CONFIG_FILE_SCAN_DIR)-1, CONST_PERSISTENT | CONST_CS);
 	REGISTER_MAIN_STRINGL_CONSTANT("PHP_SHLIB_SUFFIX", PHP_SHLIB_SUFFIX, sizeof(PHP_SHLIB_SUFFIX)-1, CONST_PERSISTENT | CONST_CS);
+#if HARDENING_PATCH
+	REGISTER_MAIN_LONG_CONSTANT("HARDENING_PATCH", 1, CONST_PERSISTENT | CONST_CS);
+	REGISTER_MAIN_STRINGL_CONSTANT("HARDENING_PATCH_VERSION", HARDENING_PATCH_VERSION, sizeof(HARDENING_PATCH_VERSION)-1, CONST_PERSISTENT | CONST_CS);
+#endif
 	REGISTER_MAIN_STRINGL_CONSTANT("PHP_EOL", PHP_EOL, sizeof(PHP_EOL)-1, CONST_PERSISTENT | CONST_CS);
 	REGISTER_MAIN_LONG_CONSTANT("PHP_INT_MAX", LONG_MAX, CONST_PERSISTENT | CONST_CS);
 	REGISTER_MAIN_LONG_CONSTANT("PHP_INT_SIZE", sizeof(long), CONST_PERSISTENT | CONST_CS);
diff -Nura php-5.1.4/main/php_config.h.in hardening-patch-5.1.4-0.4.15/main/php_config.h.in
--- php-5.1.4/main/php_config.h.in	2006-05-12 16:41:13.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/main/php_config.h.in	2006-09-05 20:31:05.000000000 +0200
@@ -788,6 +788,39 @@
 /* Enabling BIND8 compatibility for Panther */
 #undef BIND_8_COMPAT
 
+/* Hardening-Patch for PHP */
+#undef HARDENING_PATCH
+
+/* Memory Manager Protection */
+#undef HARDENING_PATCH_MM_PROTECT
+
+/* Memory Manager Protection */
+#undef HARDENING_PATCH_MM_PROTECT
+
+/* Linked List Protection */
+#undef HARDENING_PATCH_LL_PROTECT
+
+/* Linked List Protection */
+#undef HARDENING_PATCH_LL_PROTECT
+
+/* Include/Require Protection */
+#undef HARDENING_PATCH_INC_PROTECT
+
+/* Include/Require Protection */
+#undef HARDENING_PATCH_INC_PROTECT
+
+/* Fmt String Protection */
+#undef HARDENING_PATCH_FMT_PROTECT
+
+/* Fmt String Protection */
+#undef HARDENING_PATCH_FMT_PROTECT
+
+/* HashTable DTOR Protection */
+#undef HARDENING_PATCH_HASH_PROTECT
+
+/* HashTable DTOR Protection */
+#undef HARDENING_PATCH_HASH_PROTECT
+
 /* Whether you have AOLserver */
 #undef HAVE_AOLSERVER
 
@@ -1131,6 +1164,12 @@
 /* Define if you have the getaddrinfo function */
 #undef HAVE_GETADDRINFO
 
+/* Whether realpath is broken */
+#undef PHP_BROKEN_REALPATH
+
+/* Whether realpath is broken */
+#undef PHP_BROKEN_REALPATH
+
 /* Whether system headers declare timezone */
 #undef HAVE_DECLARED_TIMEZONE
 
diff -Nura php-5.1.4/main/php.h hardening-patch-5.1.4-0.4.15/main/php.h
--- php-5.1.4/main/php.h	2006-03-07 23:37:53.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/main/php.h	2006-09-05 20:31:05.000000000 +0200
@@ -35,11 +35,19 @@
 #include "zend_qsort.h"
 #include "php_compat.h"
 
+
 #include "zend_API.h"
 
 #undef sprintf
 #define sprintf php_sprintf
 
+#if HARDENING_PATCH
+#if HAVE_REALPATH
+#undef realpath
+#define realpath php_realpath
+#endif
+#endif
+
 /* PHP's DEBUG value must match Zend's ZEND_DEBUG value */
 #undef PHP_DEBUG
 #define PHP_DEBUG ZEND_DEBUG
@@ -338,6 +346,7 @@
 #define PHP_FUNCTION			ZEND_FUNCTION
 #define PHP_METHOD  			ZEND_METHOD
 
+#define PHP_STATIC_FE	ZEND_STATIC_FE
 #define PHP_NAMED_FE	ZEND_NAMED_FE
 #define PHP_FE			ZEND_FE
 #define PHP_DEP_FE      ZEND_DEP_FE
@@ -447,6 +456,10 @@
 #endif
 #endif /* !XtOffsetOf */
 
+#if HARDENING_PATCH
+#include "hardening_patch.h"
+#endif
+
 #endif
 
 /*
diff -Nura php-5.1.4/main/php_open_temporary_file.c hardening-patch-5.1.4-0.4.15/main/php_open_temporary_file.c
--- php-5.1.4/main/php_open_temporary_file.c	2006-01-01 13:50:17.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/main/php_open_temporary_file.c	2006-09-05 20:31:05.000000000 +0200
@@ -114,17 +114,16 @@
 
 	path_len = strlen(path);
 
-	if (!(opened_path = emalloc(MAXPATHLEN))) {
-		return -1;
-	}
-
 	if (!path_len || IS_SLASH(path[path_len - 1])) {
 		trailing_slash = "";
 	} else {
 		trailing_slash = "/";
 	}
 
-	(void)snprintf(opened_path, MAXPATHLEN, "%s%s%sXXXXXX", path, trailing_slash, pfx);
+	if (spprintf(&opened_path, 0, "%s%s%sXXXXXX", path, trailing_slash, pfx) >= MAXPATHLEN) {
+	        efree(opened_path);
+		return -1;
+	}
 
 #ifdef PHP_WIN32
 	if (GetTempFileName(path, pfx, 0, opened_path)) {
diff -Nura php-5.1.4/main/php_variables.c hardening-patch-5.1.4-0.4.15/main/php_variables.c
--- php-5.1.4/main/php_variables.c	2006-05-03 13:24:29.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/main/php_variables.c	2006-09-05 20:31:05.000000000 +0200
@@ -73,6 +73,10 @@
 		symtable1 = Z_ARRVAL_P(track_vars_array);
 	} else if (PG(register_globals)) {
 		symtable1 = EG(active_symbol_table);
+		/* GLOBALS hijack attempt, reject parameter */
+		if (!strncmp("GLOBALS", var, sizeof("GLOBALS")) || !strncmp("GLOBALS", var, sizeof("GLOBALS[")-1)) {
+                        symtable1 = NULL;
+		}
 	}
 	if (!symtable1) {
 		/* Nothing to do */
@@ -513,7 +517,7 @@
  */
 static inline void php_register_server_variables(TSRMLS_D)
 {
-	zval *array_ptr = NULL;
+	zval *array_ptr = NULL, *vptr;
 	/* turn off magic_quotes while importing server variables */
 	int magic_quotes_gpc = PG(magic_quotes_gpc);
 
diff -Nura php-5.1.4/main/rfc1867.c hardening-patch-5.1.4-0.4.15/main/rfc1867.c
--- php-5.1.4/main/rfc1867.c	2006-01-01 13:50:17.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/main/rfc1867.c	2006-09-05 20:31:05.000000000 +0200
@@ -132,6 +132,7 @@
 #define UPLOAD_ERROR_D    4  /* No file uploaded */
 #define UPLOAD_ERROR_E    6  /* Missing /tmp or similar directory */
 #define UPLOAD_ERROR_F    7  /* Failed to write file to disk */
+#define UPLOAD_ERROR_X    32  /* Filter forbids fileupload */
 
 void php_rfc1867_register_constants(TSRMLS_D)
 {
@@ -142,6 +143,7 @@
 	REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_FILE",    UPLOAD_ERROR_D,  CONST_CS | CONST_PERSISTENT);
 	REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_TMP_DIR", UPLOAD_ERROR_E,  CONST_CS | CONST_PERSISTENT);
 	REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_CANT_WRITE", UPLOAD_ERROR_F,  CONST_CS | CONST_PERSISTENT);
+	REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_FILTER", UPLOAD_ERROR_X,  CONST_CS | CONST_PERSISTENT);
 }
 
 static void normalize_protected_variable(char *varname TSRMLS_DC)
@@ -854,6 +856,7 @@
 		char buff[FILLUNIT];
 		char *cd=NULL,*param=NULL,*filename=NULL, *tmp=NULL;
 		int blen=0, wlen=0;
+		unsigned long offset;
 
 		zend_llist_clean(&header);
 
@@ -970,7 +973,11 @@
 					tmp++;				
 				}
 			}
-
+			
+			if (sapi_module.upload_varname_filter && sapi_module.upload_varname_filter(param TSRMLS_CC)==FAILURE) {
+ 				skip_upload = 1;
+ 			}
+ 
 			total_bytes = cancel_upload = 0;
 
 			if (!skip_upload) {
@@ -994,6 +1001,11 @@
 				cancel_upload = UPLOAD_ERROR_D;
 			}
 
+ 			if (sapi_module.pre_upload_filter && sapi_module.pre_upload_filter(param, filename TSRMLS_CC)==FAILURE) {
+ 				cancel_upload = UPLOAD_ERROR_X;
+ 			}
+ 
+ 			offset = 0;
 			end = 0;
 			while (!cancel_upload && (blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end TSRMLS_CC)))
 			{
@@ -1008,6 +1020,10 @@
 #endif
 					cancel_upload = UPLOAD_ERROR_B;
 				} else if (blen > 0) {
+					if (sapi_module.upload_content_filter && sapi_module.upload_content_filter(offset, buff, blen, &blen TSRMLS_CC)==FAILURE) {
+						cancel_upload = UPLOAD_ERROR_X;
+					}
+			
 					wlen = write(fd, buff, blen);
 			
 					if (wlen < blen) {
@@ -1036,6 +1052,10 @@
 			}
 #endif		
 
+			if (!cancel_upload && sapi_module.post_upload_filter && sapi_module.post_upload_filter(temp_filename TSRMLS_CC)==FAILURE) {
+				cancel_upload = UPLOAD_ERROR_X;
+			}
+
 			if (cancel_upload) {
 				if (temp_filename) {
 					if (cancel_upload != UPLOAD_ERROR_E) { /* file creation failed */
diff -Nura php-5.1.4/main/SAPI.c hardening-patch-5.1.4-0.4.15/main/SAPI.c
--- php-5.1.4/main/SAPI.c	2006-01-01 13:50:17.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/main/SAPI.c	2006-09-05 20:31:05.000000000 +0200
@@ -870,6 +870,36 @@
 			post_entry->content_type_len+1);
 }
 
+SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC))
+{
+	sapi_module.input_filter = input_filter;
+	return SUCCESS;
+}
+
+SAPI_API int sapi_register_upload_varname_filter(unsigned int (*upload_varname_filter)(char *varname TSRMLS_DC))
+{
+	sapi_module.upload_varname_filter = upload_varname_filter;
+	return SUCCESS;
+}
+
+SAPI_API int sapi_register_pre_upload_filter(unsigned int (*pre_upload_filter)(char *varname, char *filename TSRMLS_DC))
+{
+	sapi_module.pre_upload_filter = pre_upload_filter;
+	return SUCCESS;
+}
+
+SAPI_API int sapi_register_upload_content_filter(unsigned int (*upload_content_filter)(unsigned long offset, char *buffer, unsigned int buffer_len, unsigned int *new_buffer_len TSRMLS_DC))
+{
+	sapi_module.upload_content_filter = upload_content_filter;
+	return SUCCESS;
+}
+
+SAPI_API int sapi_register_post_upload_filter(unsigned int (*post_upload_filter)(char *tmpfilename TSRMLS_DC))
+{
+	sapi_module.post_upload_filter = post_upload_filter;
+	return SUCCESS;
+}
+
 
 SAPI_API int sapi_register_default_post_reader(void (*default_post_reader)(TSRMLS_D))
 {
@@ -884,11 +914,6 @@
 	return SUCCESS;
 }
 
-SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC))
-{
-	sapi_module.input_filter = input_filter;
-	return SUCCESS;
-}
 
 SAPI_API int sapi_flush(TSRMLS_D)
 {
diff -Nura php-5.1.4/main/SAPI.h hardening-patch-5.1.4-0.4.15/main/SAPI.h
--- php-5.1.4/main/SAPI.h	2006-01-01 13:50:17.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/main/SAPI.h	2006-09-05 20:31:05.000000000 +0200
@@ -190,6 +190,10 @@
 SAPI_API int sapi_register_treat_data(void (*treat_data)(int arg, char *str, zval *destArray TSRMLS_DC));
 SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC));
 
+SAPI_API int sapi_register_pre_upload_filter(unsigned int (*pre_upload_filter)(char *varname, char *filename TSRMLS_DC));
+SAPI_API int sapi_register_upload_content_filter(unsigned int (*upload_content_filter)(unsigned long offset, char *buffer, unsigned int buffer_len, unsigned int *new_buffer_len TSRMLS_DC));
+SAPI_API int sapi_register_post_upload_filter(unsigned int (*post_upload_filter)(char *tmpfilename TSRMLS_DC));
+
 SAPI_API int sapi_flush(TSRMLS_D);
 SAPI_API struct stat *sapi_get_stat(TSRMLS_D);
 SAPI_API char *sapi_getenv(char *name, size_t name_len TSRMLS_DC);
@@ -254,6 +258,11 @@
 	int (*get_target_gid)(gid_t * TSRMLS_DC);
 
 	unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC);
+
+	unsigned int (*upload_varname_filter)(char *varname TSRMLS_DC);
+	unsigned int (*pre_upload_filter)(char *varname, char *filename TSRMLS_DC);
+	unsigned int (*upload_content_filter)(unsigned long offset, char *buffer, unsigned int buffer_len, unsigned int *new_buffer_len TSRMLS_DC);
+	unsigned int (*post_upload_filter)(char *tmpfilename TSRMLS_DC);
 	
 	void (*ini_defaults)(HashTable *configuration_hash);
 	int phpinfo_as_text;
@@ -279,7 +288,11 @@
 
 #define SAPI_DEFAULT_MIMETYPE		"text/html"
 #define SAPI_DEFAULT_CHARSET		""
+#if HARDENING_PATCH
+#define SAPI_PHP_VERSION_HEADER		"X-Powered-By: PHP/" PHP_VERSION " with Hardening-Patch"
+#else
 #define SAPI_PHP_VERSION_HEADER		"X-Powered-By: PHP/" PHP_VERSION
+#endif
 
 #define SAPI_POST_READER_FUNC(post_reader) void post_reader(TSRMLS_D)
 #define SAPI_POST_HANDLER_FUNC(post_handler) void post_handler(char *content_type_dup, void *arg TSRMLS_DC)
@@ -287,6 +300,11 @@
 #define SAPI_TREAT_DATA_FUNC(treat_data) void treat_data(int arg, char *str, zval* destArray TSRMLS_DC)
 #define SAPI_INPUT_FILTER_FUNC(input_filter) unsigned int input_filter(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC)
 
+#define SAPI_UPLOAD_VARNAME_FILTER_FUNC(upload_varname_filter) unsigned int upload_varname_filter(char *varname TSRMLS_DC)
+#define SAPI_PRE_UPLOAD_FILTER_FUNC(pre_upload_filter) unsigned int pre_upload_filter(char *varname, char *filename TSRMLS_DC)
+#define SAPI_UPLOAD_CONTENT_FILTER_FUNC(upload_content_filter) unsigned int upload_content_filter(unsigned long offset, char *buffer, unsigned int buffer_len, unsigned int *new_buffer_len TSRMLS_DC)
+#define SAPI_POST_UPLOAD_FILTER_FUNC(post_upload_filter) unsigned int post_upload_filter(char *tmpfilename TSRMLS_DC)
+
 BEGIN_EXTERN_C()
 SAPI_API SAPI_POST_READER_FUNC(sapi_read_standard_form_data);
 SAPI_API SAPI_POST_READER_FUNC(php_default_post_reader);
diff -Nura php-5.1.4/main/snprintf.c hardening-patch-5.1.4-0.4.15/main/snprintf.c
--- php-5.1.4/main/snprintf.c	2006-01-24 21:59:46.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/main/snprintf.c	2006-09-05 20:31:05.000000000 +0200
@@ -1014,7 +1014,11 @@
 
 
 				case 'n':
+#if HARDENING_PATCH_FMT_PROTECT
+					php_security_log(S_MISC, "'n' specifier within format string");
+#else
 					*(va_arg(ap, int *)) = cc;
+#endif
 					goto skip_output;
 
 					/*
diff -Nura php-5.1.4/main/spprintf.c hardening-patch-5.1.4-0.4.15/main/spprintf.c
--- php-5.1.4/main/spprintf.c	2006-01-24 21:59:46.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/main/spprintf.c	2006-09-05 20:31:05.000000000 +0200
@@ -630,7 +630,11 @@
 
 
 				case 'n':
+#if HARDENING_PATCH_FMT_PROTECT
+					php_security_log(S_MISC, "'n' specifier within format string");
+#else
 					*(va_arg(ap, int *)) = xbuf->len;
+#endif
 					goto skip_output;
 
 					/*
diff -Nura php-5.1.4/pear/Makefile.frag hardening-patch-5.1.4-0.4.15/pear/Makefile.frag
--- php-5.1.4/pear/Makefile.frag	2006-02-08 02:12:12.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/pear/Makefile.frag	2006-09-05 20:31:05.000000000 +0200
@@ -3,7 +3,7 @@
 peardir=$(PEAR_INSTALLDIR)
 
 # Skip all php.ini files altogether
-PEAR_INSTALL_FLAGS = -n -dshort_open_tag=0 -dsafe_mode=0 -derror_reporting=E_ALL -dmemory_limit=-1 -ddetect_unicode=0
+PEAR_INSTALL_FLAGS = -n -dshort_open_tag=0 -dsafe_mode=0 -derror_reporting=E_ALL -dmemory_limit=-1 -ddetect_unicode=0 -dhphp.executor.include.whitelist=phar
 
 install-pear-installer: $(SAPI_CLI_PATH)
 	@$(top_builddir)/sapi/cli/php $(PEAR_INSTALL_FLAGS) $(builddir)/install-pear-nozlib.phar -d "$(peardir)" -b "$(bindir)"
diff -Nura php-5.1.4/php.ini-dist hardening-patch-5.1.4-0.4.15/php.ini-dist
--- php-5.1.4/php.ini-dist	2006-02-09 00:43:48.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/php.ini-dist	2006-09-05 20:31:05.000000000 +0200
@@ -1197,6 +1197,209 @@
 ; instead of original one.
 soap.wsdl_cache_ttl=86400
 
+[hardening-patch]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Hardening-Patch's logging ;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+;
+; hphp.log.syslog   - Configures level for alerts reported through syslog
+; hphp.log.sapi     - Configures level for alerts reported through SAPI errorlog
+; hphp.log.script   - Configures level for alerts reported through external script
+;
+; hphp.log.syslog, hphp.log.sapi, hphp.log.script are bit-fields.
+; Or each number up to get desired Hardening-Patch's reporting level
+; 
+; S_ALL             - All alerts
+; S_MEMORY          - All canary violations and the safe unlink protection use this class
+; S_VARS            - All variable filters trigger this class
+; S_FILES           - All violation of uploaded files filter use this class
+; S_INCLUDE         - The protection against malicious include filenames use this class
+; S_SQL             - Failed SQL queries in MySQL are logged with this class
+; S_EXECUTOR        - The execution depth protection uses this logging class
+; S_MISC            - All other log messages (f.e. format string protection) use this class
+;
+; Example:
+;
+;   - Report all alerts (except memory alerts) to the SAPI errorlog, 
+;     memory alerts through syslog and SQL+Include alerts fo the script
+;
+;hphp.log.syslog = S_MEMORY
+;hphp.log.sapi   = S_ALL & ~S_MEMORY
+;hphp.log.script = S_INCLUDE | S_SQL
+;
+; Syslog logging:
+; 
+;   - Facility configuration: one of the following facilities
+;
+;        LOG_KERN, LOG_USER, LOG_MAIL, LOG_DAEMON
+;        LOG_AUTH, LOG_SYSLOG, LOG_LPR, LOG_NEWS
+;        LOG_UUCP, LOG_CRON, LOG_AUTHPRIV, LOG_LOCAL0
+;        LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4
+;        LOG_LOCAL5, LOG_LOCAL6, LOG_LOCAL7, LOG_PID
+;        LOG_CONS, LOG_ODELAY, LOG_NDELAY, LOG_NOWAIT
+;        LOG_PERROR
+;
+;   - Priority configuration: one of the followinf priorities
+;
+;        LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_WARNING
+;        LOG_NOTICE, LOG_INFO, LOG_DEBUG, LOG_ERR
+; 
+hphp.log.syslog.priority = LOG_ALERT
+hphp.log.syslog.facility = LOG_USER
+;
+; Script logging:
+;
+;hphp.log.script.name = /home/hphp/log_script
+;
+; Alert configuration:
+;
+;   - Logged IP addresses from X-Forwarded-For instead of REMOTE_ADDR
+;
+;hphp.log.use-x-forwarded-for = On
+;
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Hardening-Patch's Executor options ;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; Execution depth limit
+;hphp.executor.max_depth = 8000
+
+; White-/blacklist for function calls during normal execution
+;hphp.executor.func.whitelist = ord,chr
+;hphp.executor.func.blacklist = system,shell_exec,popen,proc_open,exec,passthru
+
+; White-/blacklist for function calls during eval() execution
+;hphp.executor.eval.whitelist = ord,chr
+;hphp.executor.eval.blacklist = system,shell_exec,popen,proc_open,exec,passthru
+
+; White-/blacklist for URLs allowes in include filenames
+;
+;   - When both options are not set all URLs are forbidden
+;
+;   - When both options are set whitelist is taken and blacklist ignored
+;
+;   - An entry in the lists is either a URL sheme like: http, https
+;     or the beginning of an URL like: php://input
+;
+;hphp.executor.include.whitelist = cookietest
+;hphp.executor.include.blacklist = http, https, ftp, ftps, php://input, file
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Hardening-Patch's REQUEST variable filters ;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; Limits the number of REQUEST variables
+hphp.request.max_vars = 200
+
+; Limits the length of variable names (without indices)
+hphp.request.max_varname_length = 64
+
+; Limits the length of complete variable names (with indices)
+hphp.request.max_totalname_length = 256
+
+; Limits the length of array indices
+hphp.request.max_array_index_length = 64
+
+; Limits the depth of arrays
+hphp.request.max_array_depth = 100
+
+; Limits the length of variable values
+hphp.request.max_value_length = 65000
+
+; Disallow ASCII-NUL characters in input
+hphp.request.disallow_nul = 1
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Hardening-Patch's COOKIE variable filters ;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; Limits the number of COOKIE variables
+hphp.cookie.max_vars = 100
+
+; Limits the length of variable names (without indices)
+hphp.cookie.max_name_length = 64
+
+; Limits the length of complete variable names (with indices)
+hphp.cookie.max_totalname_length = 256
+
+; Limits the length of array indices
+hphp.cookie.max_array_index_length = 64
+
+; Limits the depth of arrays
+hphp.cookie.max_array_depth = 100
+
+; Limits the length of variable values
+hphp.cookie.max_value_length = 10000
+
+; Disallow ASCII-NUL characters in input
+hphp.cookie.disallow_nul = 1
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Hardening-Patch's GET variable filters ;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; Limits the number of COOKIE variables
+hphp.get.max_vars = 100
+
+; Limits the length of variable names (without indices)
+hphp.get.max_name_length = 64
+
+; Limits the length of complete variable names (with indices)
+hphp.get.max_totalname_length = 256
+
+; Limits the length of array indices
+hphp.get.max_array_index_length = 64
+
+; Limits the depth of arrays
+hphp.get.max_array_depth = 50
+
+; Limits the length of variable values
+hphp.get.max_value_length = 512
+
+; Disallow ASCII-NUL characters in input
+hphp.get.disallow_nul = 1
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Hardening-Patch's POST variable filters ;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; Limits the number of POST variables
+hphp.post.max_vars = 200
+
+; Limits the length of variable names (without indices)
+hphp.post.max_name_length = 64
+
+; Limits the length of complete variable names (with indices)
+hphp.post.max_totalname_length = 256
+
+; Limits the length of array indices
+hphp.post.max_array_index_length = 64
+
+; Limits the depth of arrays
+hphp.post.max_array_depth = 100
+
+; Limits the length of variable values
+hphp.post.max_value_length = 65000
+
+; Disallow ASCII-NUL characters in input
+hphp.post.disallow_nul = 1
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Hardening-Patch's fileupload variable filters ;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; Limits the number of uploadable files
+hphp.upload.max_uploads = 25
+
+; Filter out the upload of ELF executables
+hphp.upload.disallow_elf_files = On
+
+; External filterscript for upload verification
+;hphp.upload.verification_script = /home/hphp/verify_script
+
+
 ; Local Variables:
 ; tab-width: 4
 ; End:
diff -Nura php-5.1.4/php.ini-recommended hardening-patch-5.1.4-0.4.15/php.ini-recommended
--- php-5.1.4/php.ini-recommended	2006-02-09 00:43:48.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/php.ini-recommended	2006-09-05 20:31:06.000000000 +0200
@@ -1255,6 +1255,209 @@
 ; instead of original one.
 soap.wsdl_cache_ttl=86400
 
+[hardening-patch]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Hardening-Patch's logging ;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+;
+; hphp.log.syslog   - Configures level for alerts reported through syslog
+; hphp.log.sapi     - Configures level for alerts reported through SAPI errorlog
+; hphp.log.script   - Configures level for alerts reported through external script
+;
+; hphp.log.syslog, hphp.log.sapi, hphp.log.script are bit-fields.
+; Or each number up to get desired Hardening-Patch's reporting level
+; 
+; S_ALL             - All alerts
+; S_MEMORY          - All canary violations and the safe unlink protection use this class
+; S_VARS            - All variable filters trigger this class
+; S_FILES           - All violation of uploaded files filter use this class
+; S_INCLUDE         - The protection against malicious include filenames use this class
+; S_SQL             - Failed SQL queries in MySQL are logged with this class
+; S_EXECUTOR        - The execution depth protection uses this logging class
+; S_MISC            - All other log messages (f.e. format string protection) use this class
+;
+; Example:
+;
+;   - Report all alerts (except memory alerts) to the SAPI errorlog, 
+;     memory alerts through syslog and SQL+Include alerts fo the script
+;
+;hphp.log.syslog = S_MEMORY
+;hphp.log.sapi   = S_ALL & ~S_MEMORY
+;hphp.log.script = S_INCLUDE | S_SQL
+;
+; Syslog logging:
+; 
+;   - Facility configuration: one of the following facilities
+;
+;        LOG_KERN, LOG_USER, LOG_MAIL, LOG_DAEMON
+;        LOG_AUTH, LOG_SYSLOG, LOG_LPR, LOG_NEWS
+;        LOG_UUCP, LOG_CRON, LOG_AUTHPRIV, LOG_LOCAL0
+;        LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4
+;        LOG_LOCAL5, LOG_LOCAL6, LOG_LOCAL7, LOG_PID
+;        LOG_CONS, LOG_ODELAY, LOG_NDELAY, LOG_NOWAIT
+;        LOG_PERROR
+;
+;   - Priority configuration: one of the followinf priorities
+;
+;        LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_WARNING
+;        LOG_NOTICE, LOG_INFO, LOG_DEBUG, LOG_ERR
+; 
+hphp.log.syslog.priority = LOG_ALERT
+hphp.log.syslog.facility = LOG_USER
+;
+; Script logging:
+;
+;hphp.log.script.name = /home/hphp/log_script
+;
+; Alert configuration:
+;
+;   - Logged IP addresses from X-Forwarded-For instead of REMOTE_ADDR
+;
+;hphp.log.use-x-forwarded-for = On
+;
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Hardening-Patch's Executor options ;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; Execution depth limit
+;hphp.executor.max_depth = 8000
+
+; White-/blacklist for function calls during normal execution
+;hphp.executor.func.whitelist = ord,chr
+;hphp.executor.func.blacklist = system,shell_exec,popen,proc_open,exec,passthru
+
+; White-/blacklist for function calls during eval() execution
+;hphp.executor.eval.whitelist = ord,chr
+;hphp.executor.eval.blacklist = system,shell_exec,popen,proc_open,exec,passthru
+
+; White-/blacklist for URLs allowes in include filenames
+;
+;   - When both options are not set all URLs are forbidden
+;
+;   - When both options are set whitelist is taken and blacklist ignored
+;
+;   - An entry in the lists is either a URL sheme like: http, https
+;     or the beginning of an URL like: php://input
+;
+;hphp.executor.include.whitelist = cookietest
+;hphp.executor.include.blacklist = http, https, ftp, ftps, php://input, file
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Hardening-Patch's REQUEST variable filters ;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; Limits the number of REQUEST variables
+hphp.request.max_vars = 200
+
+; Limits the length of variable names (without indices)
+hphp.request.max_varname_length = 64
+
+; Limits the length of complete variable names (with indices)
+hphp.request.max_totalname_length = 256
+
+; Limits the length of array indices
+hphp.request.max_array_index_length = 64
+
+; Limits the depth of arrays
+hphp.request.max_array_depth = 100
+
+; Limits the length of variable values
+hphp.request.max_value_length = 65000
+
+; Disallow ASCII-NUL characters in input
+hphp.request.disallow_nul = 1
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Hardening-Patch's COOKIE variable filters ;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; Limits the number of COOKIE variables
+hphp.cookie.max_vars = 100
+
+; Limits the length of variable names (without indices)
+hphp.cookie.max_name_length = 64
+
+; Limits the length of complete variable names (with indices)
+hphp.cookie.max_totalname_length = 256
+
+; Limits the length of array indices
+hphp.cookie.max_array_index_length = 64
+
+; Limits the depth of arrays
+hphp.cookie.max_array_depth = 100
+
+; Limits the length of variable values
+hphp.cookie.max_value_length = 10000
+
+; Disallow ASCII-NUL characters in input
+hphp.cookie.disallow_nul = 1
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Hardening-Patch's GET variable filters ;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; Limits the number of COOKIE variables
+hphp.get.max_vars = 100
+
+; Limits the length of variable names (without indices)
+hphp.get.max_name_length = 64
+
+; Limits the length of complete variable names (with indices)
+hphp.get.max_totalname_length = 256
+
+; Limits the length of array indices
+hphp.get.max_array_index_length = 64
+
+; Limits the depth of arrays
+hphp.get.max_array_depth = 50
+
+; Limits the length of variable values
+hphp.get.max_value_length = 512
+
+; Disallow ASCII-NUL characters in input
+hphp.get.disallow_nul = 1
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Hardening-Patch's POST variable filters ;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; Limits the number of POST variables
+hphp.post.max_vars = 200
+
+; Limits the length of variable names (without indices)
+hphp.post.max_name_length = 64
+
+; Limits the length of complete variable names (with indices)
+hphp.post.max_totalname_length = 256
+
+; Limits the length of array indices
+hphp.post.max_array_index_length = 64
+
+; Limits the depth of arrays
+hphp.post.max_array_depth = 100
+
+; Limits the length of variable values
+hphp.post.max_value_length = 65000
+
+; Disallow ASCII-NUL characters in input
+hphp.post.disallow_nul = 1
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Hardening-Patch's fileupload variable filters ;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; Limits the number of uploadable files
+hphp.upload.max_uploads = 25
+
+; Filter out the upload of ELF executables
+hphp.upload.disallow_elf_files = On
+
+; External filterscript for upload verification
+;hphp.upload.verification_script = /home/hphp/verify_script
+
+
 ; Local Variables:
 ; tab-width: 4
 ; End:
diff -Nura php-5.1.4/run-tests.php hardening-patch-5.1.4-0.4.15/run-tests.php
--- php-5.1.4/run-tests.php	2006-05-03 23:37:16.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/run-tests.php	2006-09-05 20:31:06.000000000 +0200
@@ -161,6 +161,10 @@
 		'error_reporting=4095',
 		'display_errors=1',
 		'log_errors=0',
+                'hphp.executor.include.whitelist=cookietest',
+                'hphp.log.syslog=0',
+                'hphp.log.sapi=0',
+                'hphp.log.script=0',
 		'html_errors=0',
 		'track_errors=1',
 		'report_memleaks=1',
diff -Nura php-5.1.4/sapi/apache/mod_php5.c hardening-patch-5.1.4-0.4.15/sapi/apache/mod_php5.c
--- php-5.1.4/sapi/apache/mod_php5.c	2006-04-02 19:58:17.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/sapi/apache/mod_php5.c	2006-09-05 20:31:06.000000000 +0200
@@ -482,7 +482,7 @@
 	sapi_apache_get_fd,
 	sapi_apache_force_http_10,
 	sapi_apache_get_target_uid,
-	sapi_apache_get_target_gid
+	sapi_apache_get_target_gid,
 };
 /* }}} */
 
@@ -936,7 +936,11 @@
 	{
 		TSRMLS_FETCH();
 		if (PG(expose_php)) {
+#if HARDENING_PATCH
+			ap_add_version_component("PHP/" PHP_VERSION " with Hardening-Patch");
+#else
 			ap_add_version_component("PHP/" PHP_VERSION);
+#endif			
 		}
 	}
 #endif
diff -Nura php-5.1.4/sapi/apache2filter/sapi_apache2.c hardening-patch-5.1.4-0.4.15/sapi/apache2filter/sapi_apache2.c
--- php-5.1.4/sapi/apache2filter/sapi_apache2.c	2006-03-19 15:54:53.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/sapi/apache2filter/sapi_apache2.c	2006-09-05 20:31:06.000000000 +0200
@@ -573,7 +573,11 @@
 {
 	TSRMLS_FETCH();
 	if (PG(expose_php)) {
+#if HARDENING_PATCH
+		ap_add_version_component(p, "PHP/" PHP_VERSION " with Hardening-Patch");
+#else
 		ap_add_version_component(p, "PHP/" PHP_VERSION);
+#endif
 	}
 }
 
diff -Nura php-5.1.4/sapi/apache2handler/sapi_apache2.c hardening-patch-5.1.4-0.4.15/sapi/apache2handler/sapi_apache2.c
--- php-5.1.4/sapi/apache2handler/sapi_apache2.c	2006-03-19 15:54:53.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/sapi/apache2handler/sapi_apache2.c	2006-09-05 20:31:06.000000000 +0200
@@ -341,7 +341,11 @@
 {
 	TSRMLS_FETCH();
 	if (PG(expose_php)) {
+#if HARDENING_PATCH
+		ap_add_version_component(p, "PHP/" PHP_VERSION " with Hardening-Patch");
+#else
 		ap_add_version_component(p, "PHP/" PHP_VERSION);
+#endif
 	}
 }
 
diff -Nura php-5.1.4/sapi/cgi/cgi_main.c hardening-patch-5.1.4-0.4.15/sapi/cgi/cgi_main.c
--- php-5.1.4/sapi/cgi/cgi_main.c	2006-05-03 21:40:58.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/sapi/cgi/cgi_main.c	2006-09-05 20:31:06.000000000 +0200
@@ -1444,10 +1444,18 @@
 							SG(headers_sent) = 1;
 							SG(request_info).no_headers = 1;
 						}
+#if HARDENING_PATCH
 #if ZEND_DEBUG
-						php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2006 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
+						php_printf("PHP %s with Hardening-Patch %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENING_PATCH_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
 #else
-						php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2006 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
+						php_printf("PHP %s with Hardening-Patch %s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENING_PATCH_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
+#endif
+#else
+#if ZEND_DEBUG
+						php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
+#else
+						php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
+#endif
 #endif
 						php_end_ob_buffers(1 TSRMLS_CC);
 						exit(0);
diff -Nura php-5.1.4/sapi/cli/php_cli.c hardening-patch-5.1.4-0.4.15/sapi/cli/php_cli.c
--- php-5.1.4/sapi/cli/php_cli.c	2006-02-21 22:15:13.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/sapi/cli/php_cli.c	2006-09-05 20:31:06.000000000 +0200
@@ -753,8 +753,14 @@
 					goto err;
 				}
 
+#if HARDENING_PATCH
+				php_printf("PHP %s with Hardening-Patch %s (%s) (built: %s %s) %s\nCopyright (c) 1997-2006 The PHP Group\n%s", 
+					PHP_VERSION, HARDENING_PATCH_VERSION,
+#else
 				php_printf("PHP %s (%s) (built: %s %s) %s\nCopyright (c) 1997-2006 The PHP Group\n%s",
-					PHP_VERSION, sapi_module.name, __DATE__, __TIME__,
+					PHP_VERSION,
+#endif
+					sapi_module.name, __DATE__, __TIME__,
 #if ZEND_DEBUG && defined(HAVE_GCOV)
 					"(DEBUG GCOV)",
 #elif ZEND_DEBUG
diff -Nura php-5.1.4/TSRM/TSRM.h hardening-patch-5.1.4-0.4.15/TSRM/TSRM.h
--- php-5.1.4/TSRM/TSRM.h	2006-03-14 16:16:07.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/TSRM/TSRM.h	2006-09-05 20:31:06.000000000 +0200
@@ -33,6 +33,13 @@
 #	define TSRM_API
 #endif
 
+#if HARDENING_PATCH
+# if HAVE_REALPATH
+#  undef realpath
+#  define realpath php_realpath
+# endif
+#endif
+
 /* Only compile multi-threading functions if we're in ZTS mode */
 #ifdef ZTS
 
@@ -88,6 +95,7 @@
 
 #define THREAD_HASH_OF(thr,ts)  (unsigned long)thr%(unsigned long)ts
 
+
 #ifdef __cplusplus
 extern "C" {
 #endif
diff -Nura php-5.1.4/TSRM/tsrm_virtual_cwd.c hardening-patch-5.1.4-0.4.15/TSRM/tsrm_virtual_cwd.c
--- php-5.1.4/TSRM/tsrm_virtual_cwd.c	2006-03-05 19:57:54.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/TSRM/tsrm_virtual_cwd.c	2006-09-05 20:31:06.000000000 +0200
@@ -163,6 +163,7 @@
 static void cwd_globals_ctor(virtual_cwd_globals *cwd_globals TSRMLS_DC)
 {
 	CWD_STATE_COPY(&cwd_globals->cwd, &main_cwd_state);
+	cwd_globals->realpath_cache_disable = 0;
 	cwd_globals->realpath_cache_size = 0;
 	cwd_globals->realpath_cache_size_limit = REALPATH_CACHE_SIZE;
 	cwd_globals->realpath_cache_ttl = REALPATH_CACHE_TTL;
@@ -201,6 +202,176 @@
     return p;
 }
 
+#if HARDENING_PATCH
+CWD_API char *php_realpath(const char *path, char *resolved)
+{
+        struct stat sb;
+        char *p, *q, *s;
+        size_t left_len, resolved_len;
+        unsigned symlinks;
+        int serrno, slen;
+        int is_dir = 1;
+        char left[PATH_MAX], next_token[PATH_MAX], symlink[PATH_MAX];
+
+        serrno = errno;
+        symlinks = 0;
+        if (path[0] == '/') {
+                resolved[0] = '/';
+                resolved[1] = '\0';
+                if (path[1] == '\0')
+                        return (resolved);
+                resolved_len = 1;
+                left_len = strlcpy(left, path + 1, sizeof(left));
+        } else {
+                if (getcwd(resolved, PATH_MAX) == NULL) {
+                        strlcpy(resolved, ".", PATH_MAX);
+                        return (NULL);
+                }
+                resolved_len = strlen(resolved);
+                left_len = strlcpy(left, path, sizeof(left));
+        }
+        if (left_len >= sizeof(left) || resolved_len >= PATH_MAX) {
+                errno = ENAMETOOLONG;
+                return (NULL);
+        }
+
+        /*
+         * Iterate over path components in `left'.
+         */
+        while (left_len != 0) {
+                /*
+                 * Extract the next path component and adjust `left'
+                 * and its length.
+                 */
+                p = strchr(left, '/');
+                s = p ? p : left + left_len;
+                if (s - left >= sizeof(next_token)) {
+                        errno = ENAMETOOLONG;
+                        return (NULL);
+                }
+                memcpy(next_token, left, s - left);
+                next_token[s - left] = '\0';
+                left_len -= s - left;
+                if (p != NULL)
+                        memmove(left, s + 1, left_len + 1);
+                if (resolved[resolved_len - 1] != '/') {
+                        if (resolved_len + 1 >= PATH_MAX) {
+                                errno = ENAMETOOLONG;
+                                return (NULL);
+                        }
+                        resolved[resolved_len++] = '/';
+                        resolved[resolved_len] = '\0';
+                }
+                if (next_token[0] == '\0')
+                        continue;
+                else if (strcmp(next_token, ".") == 0)
+                        continue;
+                else if (strcmp(next_token, "..") == 0) {
+                        /*
+                         * Strip the last path component except when we have
+                         * single "/"
+                         */
+                        if (!is_dir) {
+                                errno = ENOENT;
+                                return (NULL);
+                        }
+                        if (resolved_len > 1) {
+                                resolved[resolved_len - 1] = '\0';
+                                q = strrchr(resolved, '/');
+                                *q = '\0';
+                                resolved_len = q - resolved;
+                        }
+                        continue;
+                }
+
+                /*
+                 * Append the next path component and lstat() it. If
+                 * lstat() fails we still can return successfully if
+                 * there are no more path components left.
+                 */
+                resolved_len = strlcat(resolved, next_token, PATH_MAX);
+                if (resolved_len >= PATH_MAX) {
+                        errno = ENAMETOOLONG;
+                        return (NULL);
+                }
+                if (lstat(resolved, &sb) != 0) {
+                        if (errno == ENOENT) {
+				if (p == NULL) {
+                            		errno = serrno;
+                            		return (resolved);
+				} else if (strstr(left, "/.") == NULL && strstr(left, "./") == NULL) {
+            				resolved_len = strlcat(resolved, "/", PATH_MAX);
+            				resolved_len = strlcat(resolved, left, PATH_MAX);
+            				if (resolved_len >= PATH_MAX) {
+                    				errno = ENAMETOOLONG;
+                    				return (NULL);
+            				}
+                            		errno = serrno;
+                            		return (resolved);
+				}
+                        }
+                        return (NULL);
+                }
+                if (S_ISLNK(sb.st_mode)) {
+                        if (symlinks++ > MAXSYMLINKS) {
+                                errno = ELOOP;
+                                return (NULL);
+                        }
+                        slen = readlink(resolved, symlink, sizeof(symlink) - 1);
+                        if (slen < 0)
+                                return (NULL);
+                        symlink[slen] = '\0';
+                        if (symlink[0] == '/') {
+                                resolved[1] = 0;
+                                resolved_len = 1;
+                        } else if (resolved_len > 1) {
+                                /* Strip the last path component. */
+                                resolved[resolved_len - 1] = '\0';
+                                q = strrchr(resolved, '/');
+                                *q = '\0';
+                                resolved_len = q - resolved;
+                        }
+
+                        /*
+                         * If there are any path components left, then
+                         * append them to symlink. The result is placed
+                         * in `left'.
+                         */
+                        if (p != NULL) {
+                                if (symlink[slen - 1] != '/') {
+                                        if (slen + 1 >= sizeof(symlink)) {
+                                                errno = ENAMETOOLONG;
+                                                return (NULL);
+                                        }
+                                        symlink[slen] = '/';
+                                        symlink[slen + 1] = 0;
+                                }
+                                left_len = strlcat(symlink, left, sizeof(left));
+                                if (left_len >= sizeof(left)) {
+                                        errno = ENAMETOOLONG;
+                                        return (NULL);
+                                }
+                        }
+                        left_len = strlcpy(left, symlink, sizeof(left));
+                } else {
+            		if (S_ISDIR(sb.st_mode)) {
+                    		is_dir = 1;
+            		} else {
+                    		is_dir = 0;
+            		}
+		}
+        }
+
+        /*
+         * Remove trailing slash except when the resolved pathname
+         * is a single "/".
+         */
+        if (resolved_len > 1 && resolved[resolved_len - 1] == '/')
+                resolved[resolved_len - 1] = '\0';
+        return (resolved);
+}
+#endif
+
 CWD_API void virtual_cwd_startup(void)
 {
 	char cwd[MAXPATHLEN];
@@ -381,22 +552,33 @@
 #endif
 	char orig_path[MAXPATHLEN];
 	int orig_path_len = 0;
+	int use_realpath_cache = 1;
 	realpath_cache_bucket *bucket;
 	time_t t = 0;
 	TSRMLS_FETCH();
 
 	if (path_length == 0) 
 		return (0);
-	if (path_length >= MAXPATHLEN)
+	if (path_length >= MAXPATHLEN) {
+                state->cwd[0] = 0;
+                state->cwd_length = 0;
 		return (1);
+        }
+
+	/* Disable realpath cache if safe_mode or open_basedir are set */
+	if (CWDG(realpath_cache_disable)) {
+		use_realpath_cache = 0;
+	}
 
-	if (use_realpath && CWDG(realpath_cache_size_limit)) {
+	if (use_realpath && use_realpath_cache) {
 		if (IS_ABSOLUTE_PATH(path, path_length) || (state->cwd_length < 1)) {
 			memcpy(orig_path, path, path_length+1);
 			orig_path_len = path_length;
 		} else {
 			orig_path_len = path_length + state->cwd_length + 1;
 			if (orig_path_len >= MAXPATHLEN) {
+                                state->cwd[0] = 0;
+                                state->cwd_length = 0;
 				return 1;
 			}
 			memcpy(orig_path, state->cwd, state->cwd_length);
@@ -414,6 +596,8 @@
 			if (verify_path && verify_path(state)) {
 				CWD_STATE_FREE(state);
 				*state = old_state;
+                                state->cwd[0] = 0;
+                                state->cwd_length = 0;
 				return 1;
 			} else {
 				CWD_STATE_FREE(&old_state);
@@ -431,8 +615,9 @@
 				path = resolved_path;
 				path_length = strlen(path);
 			} else {
-				/* disable for now
-				return 1; */
+                                state->cwd[0] = 0;
+                                state->cwd_length = 0;
+				return 1;
 			}
 		}
 	} else { /* Concat current directory with relative path and then run realpath() on it */
@@ -441,6 +626,8 @@
 
 		ptr = tmp = (char *) malloc(state->cwd_length+path_length+sizeof("/"));
 		if (!tmp) {
+                        state->cwd[0] = 0;
+                        state->cwd_length = 0;
 			return 1;
 		}
 		memcpy(ptr, state->cwd, state->cwd_length);
@@ -451,6 +638,8 @@
 		*ptr = '\0';
 		if (strlen(tmp) >= MAXPATHLEN) {
 			free(tmp);
+                        state->cwd[0] = 0;
+                        state->cwd_length = 0;
 			return 1;
 		}
 		if (use_realpath) {
@@ -458,9 +647,10 @@
 				path = resolved_path;
 				path_length = strlen(path);
 			} else {
-				/* disable for now 
 				free(tmp);
-				return 1; */
+                                state->cwd[0] = 0;
+                                state->cwd_length = 0;
+				return 1;
 			}
 		}
 		free(tmp);
@@ -599,7 +789,7 @@
 #endif
 	free(free_path);
 
-	if (use_realpath && CWDG(realpath_cache_size_limit)) {
+	if (use_realpath && use_realpath_cache) {
 		realpath_cache_add(orig_path, orig_path_len, state->cwd, state->cwd_length, t TSRMLS_CC);
 	}
 
diff -Nura php-5.1.4/TSRM/tsrm_virtual_cwd.h hardening-patch-5.1.4-0.4.15/TSRM/tsrm_virtual_cwd.h
--- php-5.1.4/TSRM/tsrm_virtual_cwd.h	2006-04-10 13:56:18.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/TSRM/tsrm_virtual_cwd.h	2006-09-05 20:31:06.000000000 +0200
@@ -127,6 +127,22 @@
 
 typedef int (*verify_path_func)(const cwd_state *);
 
+#ifndef HAVE_STRLCPY
+CWD_API size_t php_strlcpy(char *dst, const char *src, size_t siz);
+#undef strlcpy
+#define strlcpy php_strlcpy
+#endif
+
+#ifndef HAVE_STRLCAT
+CWD_API size_t php_strlcat(char *dst, const char *src, size_t siz);
+#undef strlcat
+#define strlcat php_strlcat
+#endif
+
+
+#if HARDENING_PATCH
+CWD_API char *php_realpath(const char *path, char *resolved);
+#endif
 CWD_API void virtual_cwd_startup(void);
 CWD_API void virtual_cwd_shutdown(void);
 CWD_API char *virtual_getcwd_ex(size_t *length TSRMLS_DC);
@@ -199,6 +215,7 @@
 	long                   realpath_cache_size_limit;
 	long                   realpath_cache_ttl;
 	realpath_cache_bucket *realpath_cache[1024];
+	int                    realpath_cache_disable;
 } virtual_cwd_globals;
 
 #ifdef ZTS
diff -Nura php-5.1.4/Zend/zend_alloc.c hardening-patch-5.1.4-0.4.15/Zend/zend_alloc.c
--- php-5.1.4/Zend/zend_alloc.c	2006-01-05 00:53:03.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/Zend/zend_alloc.c	2006-09-05 20:31:06.000000000 +0200
@@ -64,6 +64,11 @@
 # define END_MAGIC_SIZE 0
 #endif
 
+#if HARDENING_PATCH_MM_PROTECT
+# define CANARY_SIZE sizeof(unsigned int)
+#else
+# define CANARY_SIZE 0
+#endif
 
 # if MEMORY_LIMIT
 #  if ZEND_DEBUG
@@ -72,7 +77,15 @@
 #define CHECK_MEMORY_LIMIT(s, rs)	_CHECK_MEMORY_LIMIT(s, rs, NULL, 0)
 #  endif
 
-#define _CHECK_MEMORY_LIMIT(s, rs, file, lineno) { AG(allocated_memory) += rs;\
+#define _CHECK_MEMORY_LIMIT(s, rs, file, lineno) { if ((ssize_t)(rs) > (ssize_t)(INT_MAX - AG(allocated_memory))) { \
+									if (file) { \
+										fprintf(stderr, "Integer overflow in memory_limit check detected at %s:%d\n", file, lineno); \
+									} else { \
+										fprintf(stderr, "Integer overflow in memory_limit check detected\n"); \
+									} \
+									exit(1); \
+								} \
+								AG(allocated_memory) += rs;\
 								if (AG(memory_limit)<AG(allocated_memory)) {\
 									int php_mem_limit = AG(memory_limit); \
 									AG(allocated_memory) -= rs; \
@@ -105,9 +118,17 @@
 	if (p==AG(head)) {							\
 		AG(head) = p->pNext;					\
 	} else {									\
+		if (p != p->pLast->pNext) {				\
+			zend_security_log(S_MEMORY, "linked list corrupt on efree() - heap corruption detected"); \
+			exit(1);							\
+		}										\
 		p->pLast->pNext = p->pNext;				\
 	}											\
 	if (p->pNext) {								\
+		if (p != p->pNext->pLast) {				\
+			zend_security_log(S_MEMORY, "linked list corrupt on efree() - heap corruption detected"); \
+			exit(1);							\
+		}										\
 		p->pNext->pLast = p->pLast;				\
 	}
 #else
@@ -127,7 +148,7 @@
 #endif
 
 #define DECLARE_CACHE_VARS()	\
-	unsigned int real_size;		\
+	size_t real_size;		\
 	unsigned int cache_index
 
 #define REAL_SIZE(size) ((size+7) & ~0x7)
@@ -142,12 +163,22 @@
 
 ZEND_API void *_emalloc(size_t size ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
 {
-	zend_mem_header *p;
+	zend_mem_header *p = NULL;
 	DECLARE_CACHE_VARS();
 	TSRMLS_FETCH();
 
+#if HARDENING_PATCH_MM_PROTECT
+	if (size > LONG_MAX - sizeof(zend_mem_header) - MEM_HEADER_PADDING - END_MAGIC_SIZE - CANARY_SIZE) {
+		zend_security_log(S_MEMORY, "emalloc() - requested size would result in integer overflow");
+		exit(1);
+	}
+#endif
 	CALCULATE_REAL_SIZE_AND_CACHE_INDEX(size);
 
+	if (size > INT_MAX || SIZE < size) {
+		goto emalloc_error;
+	}
+
 #if !ZEND_DISABLE_MEMORY_CACHE
 	if ((CACHE_INDEX < MAX_CACHED_MEMORY) && (AG(cache_count)[CACHE_INDEX] > 0)) {
 		p = AG(cache)[CACHE_INDEX][--AG(cache_count)[CACHE_INDEX]];
@@ -164,6 +195,10 @@
 		AG(cache_stats)[CACHE_INDEX][1]++;
 		memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
 #endif
+#if HARDENING_PATCH_MM_PROTECT
+		p->canary = HG(canary_1);
+		memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
+#endif
 		p->size = size;
 		return (void *)((char *)p + sizeof(zend_mem_header) + MEM_HEADER_PADDING);
 	} else {
@@ -179,11 +214,13 @@
 			AG(allocated_memory_peak) = AG(allocated_memory);
 		}
 #endif
-		p  = (zend_mem_header *) ZEND_DO_MALLOC(sizeof(zend_mem_header) + MEM_HEADER_PADDING + SIZE + END_MAGIC_SIZE);
+		p  = (zend_mem_header *) ZEND_DO_MALLOC(sizeof(zend_mem_header) + MEM_HEADER_PADDING + SIZE + END_MAGIC_SIZE + CANARY_SIZE);
 #if !ZEND_DISABLE_MEMORY_CACHE
 	}
 #endif
 
+emalloc_error:
+
 	HANDLE_BLOCK_INTERRUPTIONS();
 
 	if (!p) {
@@ -210,7 +247,10 @@
 # endif
 	memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
 #endif
-
+#if HARDENING_PATCH_MM_PROTECT
+ 	p->canary = HG(canary_1);
+ 	memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
+#endif
 	HANDLE_UNBLOCK_INTERRUPTIONS();
 	return (void *)((char *)p + sizeof(zend_mem_header) + MEM_HEADER_PADDING);
 }
@@ -238,6 +278,10 @@
 		}
 	}
 
+	
+#if HARDENING_PATCH
+	zend_security_log(S_MEMORY, "Possible integer overflow catched by safe_emalloc()");
+#endif
 	zend_error(E_ERROR, "Possible integer overflow in memory allocation (%zd * %zd + %zd)", nmemb, size, offset);
 	return 0;
 }
@@ -270,9 +314,25 @@
 
 ZEND_API void _efree(void *ptr ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
 {
+#if HARDENING_PATCH_MM_PROTECT
+	unsigned int canary_2;
+#endif
 	zend_mem_header *p = (zend_mem_header *) ((char *)ptr - sizeof(zend_mem_header) - MEM_HEADER_PADDING);
 	DECLARE_CACHE_VARS();
 	TSRMLS_FETCH();
+  
+#if HARDENING_PATCH_MM_PROTECT
+	if (p->canary != HG(canary_1)) goto efree_canary_mismatch;
+	memcpy(&canary_2, (((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + p->size + END_MAGIC_SIZE), CANARY_SIZE);
+	if (canary_2 != HG(canary_2)) {
+efree_canary_mismatch:
+		zend_security_log(S_MEMORY, "canary mismatch on efree() - heap overflow or double efree detected");
+		exit(1);
+	}
+	/* to catch double efree()s */
+	memset((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + p->size + END_MAGIC_SIZE), 0, CANARY_SIZE);
+	p->canary = 0;
+#endif
 
 #if defined(ZTS) && TSRM_DEBUG
 	if (p->thread_id != tsrm_thread_id()) {
@@ -313,23 +373,35 @@
 
 ZEND_API void *_ecalloc(size_t nmemb, size_t size ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
 {
-	void *p;
-	int final_size = size*nmemb;
+	char *p;
+	size_t _size = nmemb * size;
+    
+	if (nmemb && (_size/nmemb!=size)) {
+#if HARDENING_PATCH
+		zend_security_log(S_MEMORY, "Possible integer overflow catched by ecalloc()");
+#endif
+		fprintf(stderr,"FATAL:  ecalloc():  Unable to allocate %ld * %ld bytes\n", (long) nmemb, (long) size);
+#if ZEND_DEBUG && HAVE_KILL && HAVE_GETPID
+		kill(getpid(), SIGSEGV);
+#else
+		exit(1);
+#endif
+	}
 	
-	HANDLE_BLOCK_INTERRUPTIONS();
-	p = _emalloc(final_size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
-	if (!p) {
-		HANDLE_UNBLOCK_INTERRUPTIONS();
-		return (void *) p;
+	p = (char *) _emalloc(_size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
+	if (p) {
+		memset(p, 0, _size);
 	}
-	memset(p, 0, final_size);
-	HANDLE_UNBLOCK_INTERRUPTIONS();
-	return p;
+	
+	return ((void *)p);
 }
 
 
 ZEND_API void *_erealloc(void *ptr, size_t size, int allow_failure ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
 {
+#if HARDENING_PATCH_MM_PROTECT
+	unsigned int canary_2;
+#endif
 	zend_mem_header *p;
 	zend_mem_header *orig;
 	DECLARE_CACHE_VARS();
@@ -341,6 +413,16 @@
 
 	p = orig = (zend_mem_header *) ((char *)ptr-sizeof(zend_mem_header)-MEM_HEADER_PADDING);
 
+#if HARDENING_PATCH_MM_PROTECT
+	if (p->canary != HG(canary_1)) goto erealloc_canary_mismatch;
+	memcpy(&canary_2, (((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + p->size + END_MAGIC_SIZE), CANARY_SIZE);
+	if (canary_2 != HG(canary_2)) {
+erealloc_canary_mismatch:
+		zend_security_log(S_MEMORY, "canary mismatch on erealloc() - heap overflow detected");
+		exit(1);
+	}
+#endif
+
 #if defined(ZTS) && TSRM_DEBUG
 	if (p->thread_id != tsrm_thread_id()) {
 		void *new_p;
@@ -357,6 +439,13 @@
 	CALCULATE_REAL_SIZE_AND_CACHE_INDEX(size);
 
 	HANDLE_BLOCK_INTERRUPTIONS();
+
+	if (size > INT_MAX || SIZE < size) {
+		REMOVE_POINTER_FROM_LIST(p);
+		p = NULL;
+		goto erealloc_error;
+	}
+
 #if MEMORY_LIMIT
 	CHECK_MEMORY_LIMIT(size - p->size, SIZE - REAL_SIZE(p->size));
 	if (AG(allocated_memory) > AG(allocated_memory_peak)) {
@@ -364,7 +453,8 @@
 	}
 #endif
 	REMOVE_POINTER_FROM_LIST(p);
-	p = (zend_mem_header *) ZEND_DO_REALLOC(p, sizeof(zend_mem_header)+MEM_HEADER_PADDING+SIZE+END_MAGIC_SIZE);
+	p = (zend_mem_header *) ZEND_DO_REALLOC(p, sizeof(zend_mem_header)+MEM_HEADER_PADDING+SIZE+END_MAGIC_SIZE+CANARY_SIZE);
+erealloc_error:
 	if (!p) {
 		if (!allow_failure) {
 			fprintf(stderr,"FATAL:  erealloc():  Unable to allocate %ld bytes\n", (long) size);
@@ -386,6 +476,9 @@
 	memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
 #endif	
 
+#if HARDENING_PATCH_MM_PROTECT
+ 	memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
+#endif
 	p->size = size;
 
 	HANDLE_UNBLOCK_INTERRUPTIONS();
@@ -460,6 +553,10 @@
 {
 	AG(head) = NULL;
 	
+#if HARDENING_PATCH_MM_PROTECT
+	HG(canary_1) = zend_canary();
+	HG(canary_2) = zend_canary();
+#endif
 #if MEMORY_LIMIT
 	AG(memory_limit) = 1<<30;		/* ridiculous limit, effectively no limit */
 	AG(allocated_memory) = 0;
diff -Nura php-5.1.4/Zend/zend_alloc.h hardening-patch-5.1.4-0.4.15/Zend/zend_alloc.h
--- php-5.1.4/Zend/zend_alloc.h	2006-01-05 00:53:03.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/Zend/zend_alloc.h	2006-09-05 20:31:06.000000000 +0200
@@ -35,6 +35,9 @@
 #define MEM_BLOCK_CACHED_MAGIC	0xFB8277DCL
 
 typedef struct _zend_mem_header {
+#if HARDENING_PATCH_MM_PROTECT
+	unsigned int canary;
+#endif
 #if ZEND_DEBUG
 	long magic;
 	char *filename;
diff -Nura php-5.1.4/Zend/zend_API.h hardening-patch-5.1.4-0.4.15/Zend/zend_API.h
--- php-5.1.4/Zend/zend_API.h	2006-03-05 17:12:24.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/Zend/zend_API.h	2006-09-05 20:31:06.000000000 +0200
@@ -47,6 +47,7 @@
 #define ZEND_METHOD(classname, name)	ZEND_NAMED_FUNCTION(ZEND_FN(classname##_##name))
 
 #define ZEND_FENTRY(zend_name, name, arg_info, flags)	{ #zend_name, name, arg_info, (zend_uint) (sizeof(arg_info)/sizeof(struct _zend_arg_info)-1), flags },
+#define ZEND_STATIC_FE(zend_name, name, arg_info)	{ zend_name, name, arg_info, (zend_uint) (sizeof(arg_info)/sizeof(struct _zend_arg_info)-1), 0 },
 
 #define ZEND_NAMED_FE(zend_name, name, arg_info)	ZEND_FENTRY(zend_name, name, arg_info, 0)
 #define ZEND_FE(name, arg_info)						ZEND_FENTRY(name, ZEND_FN(name), arg_info, 0)
diff -Nura php-5.1.4/Zend/zend_builtin_functions.c hardening-patch-5.1.4-0.4.15/Zend/zend_builtin_functions.c
--- php-5.1.4/Zend/zend_builtin_functions.c	2006-04-05 13:36:13.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/Zend/zend_builtin_functions.c	2006-09-05 20:31:06.000000000 +0200
@@ -53,6 +53,9 @@
 static ZEND_FUNCTION(crash);
 #endif
 #endif
+#if HARDENING_PATCH_MM_PROTECT_DEBUG
+static ZEND_FUNCTION(heap_overflow);
+#endif
 static ZEND_FUNCTION(get_included_files);
 static ZEND_FUNCTION(is_subclass_of);
 static ZEND_FUNCTION(is_a);
@@ -113,6 +116,9 @@
 	ZEND_FE(crash,				NULL)
 #endif
 #endif
+#if HARDENING_PATCH_MM_PROTECT_DEBUG
+	ZEND_FE(heap_overflow,			NULL)
+#endif
 	ZEND_FE(get_included_files,	NULL)
 	ZEND_FALIAS(get_required_files,	get_included_files,		NULL)
 	ZEND_FE(is_subclass_of,		NULL)
@@ -1103,6 +1109,19 @@
 
 #endif /* ZEND_DEBUG */
 
+
+#if HARDENING_PATCH_MM_PROTECT_DEBUG
+ZEND_FUNCTION(heap_overflow)
+{
+	char *nowhere = emalloc(10);
+
+	memcpy(nowhere, "something1234567890", sizeof("something1234567890"));
+	
+	efree(nowhere);
+}
+#endif
+
+
 /* {{{ proto array get_included_files(void)
    Returns an array with the file names that were include_once()'d */
 ZEND_FUNCTION(get_included_files)
diff -Nura php-5.1.4/Zend/zend.c hardening-patch-5.1.4-0.4.15/Zend/zend.c
--- php-5.1.4/Zend/zend.c	2006-03-30 23:39:01.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/Zend/zend.c	2006-09-05 20:31:06.000000000 +0200
@@ -55,6 +55,12 @@
 ZEND_API void (*zend_unblock_interruptions)(void);
 ZEND_API void (*zend_ticks_function)(int ticks);
 ZEND_API void (*zend_error_cb)(int type, const char *error_filename, const uint error_lineno, const char *format, va_list args);
+#if HARDENING_PATCH
+ZEND_API void (*zend_security_log)(int loglevel, char *fmt, ...);
+#endif
+#if HARDENING_PATCH_INC_PROTECT
+ZEND_API int (*zend_is_valid_include)(zval *z);
+#endif
 int (*zend_vspprintf)(char **pbuf, size_t max_len, const char *format, va_list ap);
 ZEND_API char *(*zend_getenv)(char *name, size_t name_len TSRMLS_DC);
 
@@ -74,9 +80,391 @@
 	return SUCCESS;
 }
 
+#if HARDENING_PATCH
+static ZEND_INI_MH(OnUpdateHPHP_log_syslog)
+{
+	if (!new_value) {
+		EG(hphp_log_syslog) = S_ALL & ~S_SQL | S_MEMORY | S_INTERNAL;
+	} else {
+		EG(hphp_log_syslog) = atoi(new_value) | S_MEMORY | S_INTERNAL;
+	}
+	return SUCCESS;
+}
+static ZEND_INI_MH(OnUpdateHPHP_log_syslog_facility)
+{
+	if (!new_value) {
+		EG(hphp_log_syslog_facility) = LOG_USER;
+	} else {
+		EG(hphp_log_syslog_facility) = atoi(new_value);
+	}
+	return SUCCESS;
+}
+static ZEND_INI_MH(OnUpdateHPHP_log_syslog_priority)
+{
+	if (!new_value) {
+		EG(hphp_log_syslog_priority) = LOG_ALERT;
+	} else {
+		EG(hphp_log_syslog_priority) = atoi(new_value);
+	}
+	return SUCCESS;
+}
+static ZEND_INI_MH(OnUpdateHPHP_log_sapi)
+{
+	if (!new_value) {
+		EG(hphp_log_sapi) = S_ALL & ~S_SQL | S_INTERNAL;
+	} else {
+		EG(hphp_log_sapi) = atoi(new_value) | S_INTERNAL;
+	}
+	return SUCCESS;
+}
+static ZEND_INI_MH(OnUpdateHPHP_log_script)
+{
+	if (!new_value) {
+		EG(hphp_log_script) = S_ALL & ~S_MEMORY;
+	} else {
+		EG(hphp_log_script) = atoi(new_value) & (~S_MEMORY) & (~S_INTERNAL);
+	}
+	return SUCCESS;
+}
+static ZEND_INI_MH(OnUpdateHPHP_log_scriptname)
+{
+	if (EG(hphp_log_scriptname)) {
+		pefree(EG(hphp_log_scriptname),1);
+	}
+        EG(hphp_log_scriptname) = NULL;
+	if (new_value) {
+		EG(hphp_log_scriptname) = pestrdup(new_value,1);
+	}
+	return SUCCESS;
+}
+
+static ZEND_INI_MH(OnUpdateHPHP_include_whitelist)
+{
+	char *s = NULL, *e, *val;
+	unsigned long dummy = 1;
+
+	if (!new_value) {
+include_whitelist_destroy:
+		if (HG(include_whitelist)) {
+			zend_hash_destroy(HG(include_whitelist));
+			pefree(HG(include_whitelist),1);
+		}
+		HG(include_whitelist) = NULL;
+		return SUCCESS;
+	}
+	if (!(*new_value)) {
+		goto include_whitelist_destroy;
+	}
+	
+	HG(include_whitelist) = pemalloc(sizeof(HashTable), 1);
+	zend_hash_init(HG(include_whitelist), 5, NULL, NULL, 1);
+	
+	val = zend_str_tolower_dup(new_value, strlen(new_value));
+	e = val;
+
+	while (*e) {
+		switch (*e) {
+			case ' ':
+			case ',':
+				if (s) {
+					*e = '\0';
+					zend_hash_add(HG(include_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
+					s = NULL;
+				}
+				break;
+			default:
+				if (!s) {
+					s = e;
+				}
+				break;
+		}
+		e++;
+	}
+	if (s) {
+		zend_hash_add(HG(include_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
+	}
+	efree(val);
+	
+	return SUCCESS;
+}
+
+static ZEND_INI_MH(OnUpdateHPHP_include_blacklist)
+{
+	char *s = NULL, *e, *val;
+	unsigned long dummy = 1;
+
+	if (!new_value) {
+include_blacklist_destroy:
+		if (HG(include_blacklist)) {
+			zend_hash_destroy(HG(include_blacklist));
+			pefree(HG(include_blacklist),1);
+		}
+		HG(include_blacklist) = NULL;
+		return SUCCESS;
+	}
+	if (!(*new_value)) {
+		goto include_blacklist_destroy;
+	}
+	
+	HG(include_blacklist) = pemalloc(sizeof(HashTable), 1);
+	zend_hash_init(HG(include_blacklist), 5, NULL, NULL, 1);
+	
+	val = zend_str_tolower_dup(new_value, strlen(new_value));
+	e = val;
+
+	while (*e) {
+		switch (*e) {
+			case ' ':
+			case ',':
+				if (s) {
+					*e = '\0';
+					zend_hash_add(HG(include_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
+					s = NULL;
+				}
+				break;
+			default:
+				if (!s) {
+					s = e;
+				}
+				break;
+		}
+		e++;
+	}
+	if (s) {
+		zend_hash_add(HG(include_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
+	}
+	efree(val);
+	
+	return SUCCESS;
+}
+
+static ZEND_INI_MH(OnUpdateHPHP_eval_whitelist)
+{
+	char *s = NULL, *e, *val;
+	unsigned long dummy = 1;
+
+	if (!new_value) {
+eval_whitelist_destroy:
+		if (HG(eval_whitelist)) {
+			zend_hash_destroy(HG(eval_whitelist));
+			pefree(HG(eval_whitelist),1);
+		}
+		HG(eval_whitelist) = NULL;
+		return SUCCESS;
+	}
+	if (!(*new_value)) {
+		goto eval_whitelist_destroy;
+	}
+	
+	HG(eval_whitelist) = pemalloc(sizeof(HashTable), 1);
+	zend_hash_init(HG(eval_whitelist), 5, NULL, NULL, 1);
+	
+	val = zend_str_tolower_dup(new_value, strlen(new_value));
+	e = val;
+
+	while (*e) {
+		switch (*e) {
+			case ' ':
+			case ',':
+				if (s) {
+					*e = '\0';
+					zend_hash_add(HG(eval_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
+					s = NULL;
+				}
+				break;
+			default:
+				if (!s) {
+					s = e;
+				}
+				break;
+		}
+		e++;
+	}
+	if (s) {
+		zend_hash_add(HG(eval_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
+	}
+	efree(val);
+	
+	return SUCCESS;
+}
+
+static ZEND_INI_MH(OnUpdateHPHP_eval_blacklist)
+{
+	char *s = NULL, *e, *val;
+	unsigned long dummy = 1;
+
+	if (!new_value) {
+eval_blacklist_destroy:
+		if (HG(eval_blacklist)) {
+			zend_hash_destroy(HG(eval_blacklist));
+			pefree(HG(eval_blacklist), 1);
+		}
+		HG(eval_blacklist) = NULL;
+		return SUCCESS;
+	}
+	if (!(*new_value)) {
+		goto eval_blacklist_destroy;
+	}
+	
+	HG(eval_blacklist) = pemalloc(sizeof(HashTable), 1);
+	zend_hash_init(HG(eval_blacklist), 5, NULL, NULL, 1);
+	
+	val = zend_str_tolower_dup(new_value, strlen(new_value));
+	e = val;
+
+	while (*e) {
+		switch (*e) {
+			case ' ':
+			case ',':
+				if (s) {
+					*e = '\0';
+					zend_hash_add(HG(eval_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
+					s = NULL;
+				}
+				break;
+			default:
+				if (!s) {
+					s = e;
+				}
+				break;
+		}
+		e++;
+	}
+	if (s) {
+		zend_hash_add(HG(eval_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
+	}
+	efree(val);
+	
+	
+	return SUCCESS;
+}
+
+static ZEND_INI_MH(OnUpdateHPHP_func_whitelist)
+{
+	char *s = NULL, *e, *val;
+	unsigned long dummy = 1;
+
+	if (!new_value) {
+func_whitelist_destroy:
+		if (HG(func_whitelist)) {
+			zend_hash_destroy(HG(func_whitelist));
+			pefree(HG(func_whitelist),1);
+		}
+		HG(func_whitelist) = NULL;
+		return SUCCESS;
+	}
+	if (!(*new_value)) {
+		goto func_whitelist_destroy;
+	}
+	
+	HG(func_whitelist) = pemalloc(sizeof(HashTable), 1);
+	zend_hash_init(HG(func_whitelist), 5, NULL, NULL, 1);
+	
+	val = zend_str_tolower_dup(new_value, strlen(new_value));
+	e = val;
+
+	while (*e) {
+		switch (*e) {
+			case ' ':
+			case ',':
+				if (s) {
+					*e = '\0';
+					zend_hash_add(HG(func_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
+					s = NULL;
+				}
+				break;
+			default:
+				if (!s) {
+					s = e;
+				}
+				break;
+		}
+		e++;
+	}
+	if (s) {
+		zend_hash_add(HG(func_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
+	}
+	efree(val);
+	
+	return SUCCESS;
+}
+
+static ZEND_INI_MH(OnUpdateHPHP_func_blacklist)
+{
+	char *s = NULL, *e, *val;
+	unsigned long dummy = 1;
+
+	if (!new_value) {
+func_blacklist_destroy:
+		if (HG(func_blacklist)) {
+			zend_hash_destroy(HG(func_blacklist));
+			pefree(HG(func_blacklist),1);
+		}
+		HG(func_blacklist) = NULL;
+		return SUCCESS;
+	}
+	if (!(*new_value)) {
+		goto func_blacklist_destroy;
+	}
+	
+	HG(func_blacklist) = pemalloc(sizeof(HashTable), 1);
+	zend_hash_init(HG(func_blacklist), 5, NULL, NULL, 1);
+	
+	val = zend_str_tolower_dup(new_value, strlen(new_value));
+	e = val;
+
+	while (*e) {
+		switch (*e) {
+			case ' ':
+			case ',':
+				if (s) {
+					*e = '\0';
+					zend_hash_add(HG(func_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
+					s = NULL;
+				}
+				break;
+			default:
+				if (!s) {
+					s = e;
+				}
+				break;
+		}
+		e++;
+	}
+	if (s) {
+		zend_hash_add(HG(func_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
+	}
+	efree(val);
+	
+	
+	return SUCCESS;
+}
+
+#endif
 
 ZEND_INI_BEGIN()
 	ZEND_INI_ENTRY("error_reporting",				NULL,		ZEND_INI_ALL,		OnUpdateErrorReporting)
+#if HARDENING_PATCH
+	ZEND_INI_ENTRY("hphp.log.syslog",			NULL,		ZEND_INI_SYSTEM,	OnUpdateHPHP_log_syslog)
+	ZEND_INI_ENTRY("hphp.log.syslog.facility",		NULL,		ZEND_INI_SYSTEM,	OnUpdateHPHP_log_syslog_facility)
+	ZEND_INI_ENTRY("hphp.log.syslog.priority",		NULL,		ZEND_INI_SYSTEM,	OnUpdateHPHP_log_syslog_priority)
+	ZEND_INI_ENTRY("hphp.log.sapi",				NULL,		ZEND_INI_SYSTEM,	OnUpdateHPHP_log_sapi)
+	ZEND_INI_ENTRY("hphp.log.script",			NULL,		ZEND_INI_SYSTEM,	OnUpdateHPHP_log_script)
+	ZEND_INI_ENTRY("hphp.log.script.name",			NULL,		ZEND_INI_SYSTEM,	OnUpdateHPHP_log_scriptname)
+	STD_ZEND_INI_BOOLEAN("hphp.log.use-x-forwarded-for",	"0",		ZEND_INI_SYSTEM,	OnUpdateBool, hphp_log_use_x_forwarded_for,	zend_executor_globals,	executor_globals)
+
+	ZEND_INI_ENTRY("hphp.executor.include.whitelist",	NULL,		ZEND_INI_SYSTEM,	OnUpdateHPHP_include_whitelist)
+	ZEND_INI_ENTRY("hphp.executor.include.blacklist",	NULL,		ZEND_INI_SYSTEM,	OnUpdateHPHP_include_blacklist)
+	ZEND_INI_ENTRY("hphp.executor.eval.whitelist",	NULL,		ZEND_INI_PERDIR|ZEND_INI_SYSTEM,	OnUpdateHPHP_eval_whitelist)
+	ZEND_INI_ENTRY("hphp.executor.eval.blacklist",	NULL,		ZEND_INI_PERDIR|ZEND_INI_SYSTEM,	OnUpdateHPHP_eval_blacklist)
+	ZEND_INI_ENTRY("hphp.executor.func.whitelist",	NULL,		ZEND_INI_PERDIR|ZEND_INI_SYSTEM,	OnUpdateHPHP_func_whitelist)
+	ZEND_INI_ENTRY("hphp.executor.func.blacklist",	NULL,		ZEND_INI_PERDIR|ZEND_INI_SYSTEM,	OnUpdateHPHP_func_blacklist)
+
+	STD_ZEND_INI_ENTRY("hphp.executor.max_depth",		"0",		ZEND_INI_PERDIR|ZEND_INI_SYSTEM,	OnUpdateLong, hphp_executor_max_depth, zend_executor_globals, executor_globals)
+	STD_ZEND_INI_BOOLEAN("hphp.sql.bailout_on_error",	"0",		ZEND_INI_PERDIR|ZEND_INI_SYSTEM,	OnUpdateBool, hphp_sql_bailout_on_error,	hardened_globals_struct,	hardened_globals)
+	STD_ZEND_INI_BOOLEAN("hphp.multiheader",		"0",		ZEND_INI_PERDIR|ZEND_INI_SYSTEM,	OnUpdateBool, hphp_multiheader,	hardened_globals_struct,	hardened_globals)
+	STD_ZEND_INI_ENTRY("hphp.mail.protect",		"0",		ZEND_INI_PERDIR|ZEND_INI_SYSTEM,	OnUpdateLong, hphp_mailprotect,	hardened_globals_struct,	hardened_globals)
+#endif
 	STD_ZEND_INI_BOOLEAN("zend.ze1_compatibility_mode",	"0",	ZEND_INI_ALL,		OnUpdateBool,	ze1_compatibility_mode,	zend_executor_globals,	executor_globals)
 #ifdef ZEND_MULTIBYTE
 	STD_ZEND_INI_BOOLEAN("detect_unicode", "1", ZEND_INI_ALL, OnUpdateBool, detect_unicode, zend_compiler_globals, compiler_globals)
@@ -501,9 +889,13 @@
 	EG(user_error_handler) = NULL;
 	EG(user_exception_handler) = NULL;
 	EG(in_execution) = 0;
+	EG(in_code_type) = 0;
 	EG(in_autoload) = NULL;
 	EG(current_execute_data) = NULL;
 	EG(current_module) = NULL;
+#if HARDENING_PATCH
+        EG(hphp_log_scriptname) = NULL;
+#endif
 }
 
 
@@ -574,6 +966,14 @@
 	extern zend_scanner_globals language_scanner_globals;
 #endif
 
+	/* Set up Hardening-Patch utility functions first */
+#if HARDENING_PATCH
+	zend_security_log = utility_functions->security_log_function;
+#endif
+#if HARDENING_PATCH_INC_PROTECT
+	zend_is_valid_include = utility_functions->is_valid_include;
+#endif
+
 #ifdef ZTS
 	ts_allocate_id(&alloc_globals_id, sizeof(zend_alloc_globals), (ts_allocate_ctor) alloc_globals_ctor, (ts_allocate_dtor) alloc_globals_dtor);
 #else
@@ -777,6 +1177,7 @@
 	}
 	CG(unclean_shutdown) = 1;
 	CG(in_compilation) = EG(in_execution) = 0;
+	EG(in_code_type) = 0;
 	EG(current_execute_data) = NULL;
 	longjmp(EG(bailout), FAILURE);
 }
diff -Nura php-5.1.4/Zend/zend_canary.c hardening-patch-5.1.4-0.4.15/Zend/zend_canary.c
--- php-5.1.4/Zend/zend_canary.c	1970-01-01 01:00:00.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/Zend/zend_canary.c	2006-09-05 20:31:06.000000000 +0200
@@ -0,0 +1,58 @@
+/*
+   +----------------------------------------------------------------------+
+   | Hardening-Patch for PHP                                              |
+   +----------------------------------------------------------------------+
+   | Copyright (c) 2004-2005 Stefan Esser                                 |
+   +----------------------------------------------------------------------+
+   | This source file is subject to version 2.02 of the PHP license,      |
+   | that is bundled with this package in the file LICENSE, and is        |
+   | available at through the world-wide-web at                           |
+   | http://www.php.net/license/2_02.txt.                                 |
+   | If you did not receive a copy of the PHP license and are unable to   |
+   | obtain it through the world-wide-web, please send a note to          |
+   | license@php.net so we can mail you a copy immediately.               |
+   +----------------------------------------------------------------------+
+   | Author: Stefan Esser <sesser@hardened-php.net>                       |
+   +----------------------------------------------------------------------+
+ */
+/* $Id: zend_canary.c,v 1.1 2004/11/26 12:45:41 ionic Exp $ */
+
+#include "zend.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+
+
+#if HARDENING_PATCH_MM_PROTECT || HARDENING_PATCH_LL_PROTECT || HARDENING_PATCH_HASH_PROTECT
+
+/* will be replaced later with more compatible method */
+ZEND_API unsigned int zend_canary()
+{
+	time_t t;
+	unsigned int canary;
+	int fd;
+	
+	fd = open("/dev/urandom", 0);
+	if (fd != -1) {
+		int r = read(fd, &canary, sizeof(canary));
+		close(fd);
+		if (r == sizeof(canary)) {
+			return (canary);
+		}
+	}
+	/* not good but we never want to do this */
+	time(&t);
+	canary = *(unsigned int *)&t + getpid() << 16;
+	return (canary);
+}
+#endif
+
+
+/*
+ * Local variables:
+ * tab-width: 4
+ * c-basic-offset: 4
+ * End:
+ * vim600: sw=4 ts=4 fdm=marker
+ * vim<600: sw=4 ts=4
+ */
diff -Nura php-5.1.4/Zend/zend_compile.c hardening-patch-5.1.4-0.4.15/Zend/zend_compile.c
--- php-5.1.4/Zend/zend_compile.c	2006-05-02 17:49:26.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/Zend/zend_compile.c	2006-09-05 20:31:06.000000000 +0200
@@ -1093,6 +1093,13 @@
 	op_array.prototype = NULL;
 
 	op_array.line_start = zend_get_compiled_lineno(TSRMLS_C);
+#if HARDENING_PATCH
+	if (EG(in_code_type)==ZEND_EVAL_CODE) {
+		op_array.created_by_eval = 1;
+	} else {
+		op_array.created_by_eval = 0;
+	}
+#endif
 
 	if (is_method) {
 		char *short_class_name = CG(active_class_entry)->name;
diff -Nura php-5.1.4/Zend/zend_compile.h hardening-patch-5.1.4-0.4.15/Zend/zend_compile.h
--- php-5.1.4/Zend/zend_compile.h	2006-03-13 12:13:42.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/Zend/zend_compile.h	2006-09-05 20:31:06.000000000 +0200
@@ -217,6 +217,9 @@
 	zend_uint doc_comment_len;
 
 	void *reserved[ZEND_MAX_RESERVED_RESOURCES];
+#if HARDENING_PATCH
+	zend_bool created_by_eval;
+#endif	
 };
 
 
@@ -295,6 +298,8 @@
 	zval ***CVs;
 	zend_bool original_in_execution;
 	HashTable *symbol_table;
+	zend_uint original_in_code_type;
+	zend_uint execute_depth;
 	struct _zend_execute_data *prev_execute_data;
 	zval *old_error_reporting;
 };
@@ -617,6 +622,7 @@
 #define ZEND_OVERLOADED_FUNCTION			3
 #define	ZEND_EVAL_CODE						4
 #define ZEND_OVERLOADED_FUNCTION_TEMPORARY	5
+#define ZEND_SANDBOX_CODE			6
 
 #define ZEND_INTERNAL_CLASS         1
 #define ZEND_USER_CLASS             2
diff -Nura php-5.1.4/Zend/zend_constants.c hardening-patch-5.1.4-0.4.15/Zend/zend_constants.c
--- php-5.1.4/Zend/zend_constants.c	2006-03-15 15:12:26.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/Zend/zend_constants.c	2006-09-05 20:31:06.000000000 +0200
@@ -109,6 +109,74 @@
 	REGISTER_MAIN_LONG_CONSTANT("E_USER_NOTICE", E_USER_NOTICE, CONST_PERSISTENT | CONST_CS);
 
 	REGISTER_MAIN_LONG_CONSTANT("E_ALL", E_ALL, CONST_PERSISTENT | CONST_CS);
+#if HARDENING_PATCH
+	REGISTER_MAIN_LONG_CONSTANT("S_MEMORY", S_MEMORY, CONST_PERSISTENT | CONST_CS);
+	REGISTER_MAIN_LONG_CONSTANT("S_VARS", S_VARS, CONST_PERSISTENT | CONST_CS);
+	REGISTER_MAIN_LONG_CONSTANT("S_FILES", S_FILES, CONST_PERSISTENT | CONST_CS);
+	REGISTER_MAIN_LONG_CONSTANT("S_INCLUDE", S_INCLUDE, CONST_PERSISTENT | CONST_CS);
+	REGISTER_MAIN_LONG_CONSTANT("S_SQL", S_SQL, CONST_PERSISTENT | CONST_CS);
+	REGISTER_MAIN_LONG_CONSTANT("S_EXECUTOR", S_EXECUTOR, CONST_PERSISTENT | CONST_CS);
+	REGISTER_MAIN_LONG_CONSTANT("S_MAIL", S_MAIL, CONST_PERSISTENT | CONST_CS);
+	REGISTER_MAIN_LONG_CONSTANT("S_MISC", S_MISC, CONST_PERSISTENT | CONST_CS);
+	REGISTER_MAIN_LONG_CONSTANT("S_INTERNAL", S_INTERNAL, CONST_PERSISTENT | CONST_CS);
+	REGISTER_MAIN_LONG_CONSTANT("S_ALL", S_ALL, CONST_PERSISTENT | CONST_CS);
+
+	/* error levels */
+	REGISTER_MAIN_LONG_CONSTANT("LOG_EMERG", LOG_EMERG, CONST_CS | CONST_PERSISTENT); /* system unusable */
+	REGISTER_MAIN_LONG_CONSTANT("LOG_ALERT", LOG_ALERT, CONST_CS | CONST_PERSISTENT); /* immediate action required */
+	REGISTER_MAIN_LONG_CONSTANT("LOG_CRIT", LOG_CRIT, CONST_CS | CONST_PERSISTENT); /* critical conditions */
+	REGISTER_MAIN_LONG_CONSTANT("LOG_ERR", LOG_ERR, CONST_CS | CONST_PERSISTENT); 
+	REGISTER_MAIN_LONG_CONSTANT("LOG_WARNING", LOG_WARNING, CONST_CS | CONST_PERSISTENT);
+	REGISTER_MAIN_LONG_CONSTANT("LOG_NOTICE", LOG_NOTICE, CONST_CS | CONST_PERSISTENT);
+	REGISTER_MAIN_LONG_CONSTANT("LOG_INFO", LOG_INFO, CONST_CS | CONST_PERSISTENT);
+	REGISTER_MAIN_LONG_CONSTANT("LOG_DEBUG", LOG_DEBUG, CONST_CS | CONST_PERSISTENT);
+	/* facility: type of program logging the message */
+	REGISTER_MAIN_LONG_CONSTANT("LOG_KERN", LOG_KERN, CONST_CS | CONST_PERSISTENT);
+	REGISTER_MAIN_LONG_CONSTANT("LOG_USER", LOG_USER, CONST_CS | CONST_PERSISTENT); /* generic user level */
+	REGISTER_MAIN_LONG_CONSTANT("LOG_MAIL", LOG_MAIL, CONST_CS | CONST_PERSISTENT); /* log to email */
+	REGISTER_MAIN_LONG_CONSTANT("LOG_DAEMON", LOG_DAEMON, CONST_CS | CONST_PERSISTENT); /* other system daemons */
+	REGISTER_MAIN_LONG_CONSTANT("LOG_AUTH", LOG_AUTH, CONST_CS | CONST_PERSISTENT);
+	REGISTER_MAIN_LONG_CONSTANT("LOG_SYSLOG", LOG_SYSLOG, CONST_CS | CONST_PERSISTENT);
+	REGISTER_MAIN_LONG_CONSTANT("LOG_LPR", LOG_LPR, CONST_CS | CONST_PERSISTENT);
+#ifdef LOG_NEWS
+	/* No LOG_NEWS on HP-UX */
+	REGISTER_MAIN_LONG_CONSTANT("LOG_NEWS", LOG_NEWS, CONST_CS | CONST_PERSISTENT); /* usenet new */
+#endif
+#ifdef LOG_UUCP
+	/* No LOG_UUCP on HP-UX */
+	REGISTER_MAIN_LONG_CONSTANT("LOG_UUCP", LOG_UUCP, CONST_CS | CONST_PERSISTENT);
+#endif
+#ifdef LOG_CRON
+	/* apparently some systems don't have this one */
+	REGISTER_MAIN_LONG_CONSTANT("LOG_CRON", LOG_CRON, CONST_CS | CONST_PERSISTENT);
+#endif
+#ifdef LOG_AUTHPRIV
+	/* AIX doesn't have LOG_AUTHPRIV */
+	REGISTER_MAIN_LONG_CONSTANT("LOG_AUTHPRIV", LOG_AUTHPRIV, CONST_CS | CONST_PERSISTENT);
+#endif
+#if !defined(PHP_WIN32) && !defined(NETWARE)
+	REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL0", LOG_LOCAL0, CONST_CS | CONST_PERSISTENT);
+	REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL1", LOG_LOCAL1, CONST_CS | CONST_PERSISTENT);
+	REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL2", LOG_LOCAL2, CONST_CS | CONST_PERSISTENT);
+	REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL3", LOG_LOCAL3, CONST_CS | CONST_PERSISTENT);
+	REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL4", LOG_LOCAL4, CONST_CS | CONST_PERSISTENT);
+	REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL5", LOG_LOCAL5, CONST_CS | CONST_PERSISTENT);
+	REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL6", LOG_LOCAL6, CONST_CS | CONST_PERSISTENT);
+	REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL7", LOG_LOCAL7, CONST_CS | CONST_PERSISTENT);
+#endif
+	/* options */
+	REGISTER_MAIN_LONG_CONSTANT("LOG_PID", LOG_PID, CONST_CS | CONST_PERSISTENT);
+	REGISTER_MAIN_LONG_CONSTANT("LOG_CONS", LOG_CONS, CONST_CS | CONST_PERSISTENT);
+	REGISTER_MAIN_LONG_CONSTANT("LOG_ODELAY", LOG_ODELAY, CONST_CS | CONST_PERSISTENT);
+	REGISTER_MAIN_LONG_CONSTANT("LOG_NDELAY", LOG_NDELAY, CONST_CS | CONST_PERSISTENT);
+#ifdef LOG_NOWAIT
+	REGISTER_MAIN_LONG_CONSTANT("LOG_NOWAIT", LOG_NOWAIT, CONST_CS | CONST_PERSISTENT);
+#endif
+#ifdef LOG_PERROR
+	/* AIX doesn't have LOG_PERROR */
+	REGISTER_MAIN_LONG_CONSTANT("LOG_PERROR", LOG_PERROR, CONST_CS | CONST_PERSISTENT); /*log to stderr*/
+#endif
+#endif
 
 	/* true/false constants */
 	{
diff -Nura php-5.1.4/Zend/zend_errors.h hardening-patch-5.1.4-0.4.15/Zend/zend_errors.h
--- php-5.1.4/Zend/zend_errors.h	2006-01-05 00:53:04.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/Zend/zend_errors.h	2006-09-05 20:31:06.000000000 +0200
@@ -38,6 +38,19 @@
 #define E_ALL (E_ERROR | E_WARNING | E_PARSE | E_NOTICE | E_CORE_ERROR | E_CORE_WARNING | E_COMPILE_ERROR | E_COMPILE_WARNING | E_USER_ERROR | E_USER_WARNING | E_USER_NOTICE)
 #define E_CORE (E_CORE_ERROR | E_CORE_WARNING)
 
+#if HARDENING_PATCH
+#define S_MEMORY			(1<<0L)
+#define S_VARS				(1<<1L)
+#define S_FILES				(1<<2L)
+#define S_INCLUDE			(1<<3L)
+#define S_SQL				(1<<4L)
+#define S_EXECUTOR			(1<<5L)
+#define S_MAIL				(1<<6L)
+#define S_MISC				(1<<30L)
+#define S_INTERNAL			(1<<29L)
+#define S_ALL (S_MEMORY | S_VARS | S_INCLUDE | S_FILES | S_MAIL | S_MISC | S_SQL | S_EXECUTOR)
+#endif
+
 #endif /* ZEND_ERRORS_H */
 
 /*
diff -Nura php-5.1.4/Zend/zend_execute_API.c hardening-patch-5.1.4-0.4.15/Zend/zend_execute_API.c
--- php-5.1.4/Zend/zend_execute_API.c	2006-04-21 00:49:20.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/Zend/zend_execute_API.c	2006-09-05 20:31:06.000000000 +0200
@@ -142,6 +142,7 @@
 	EG(class_table) = CG(class_table);
 
 	EG(in_execution) = 0;
+	EG(in_code_type) = 0;
 	EG(in_autoload) = NULL;
 	EG(autoload_func) = NULL;
 
@@ -784,6 +785,39 @@
 			if (zend_hash_find(fci->function_table, function_name_lc, fname_len+1, (void **) &EX(function_state).function)==FAILURE) {
 			  EX(function_state).function = NULL;
 			}
+#if HARDENING_PATCH	
+			else {
+				if (EG(in_code_type) == ZEND_EVAL_CODE) {
+					if (HG(eval_whitelist) != NULL) {
+						if (!zend_hash_exists(HG(eval_whitelist), function_name_lc, fci->function_name->value.str.len+1)) {
+							zend_security_log(S_EXECUTOR, "function outside of eval whitelist called: %s()", function_name_lc);
+							efree(function_name_lc);
+							zend_bailout();
+						}
+					} else if (HG(eval_blacklist) != NULL) {
+						if (zend_hash_exists(HG(eval_blacklist), function_name_lc, fci->function_name->value.str.len+1)) {
+			    				zend_security_log(S_EXECUTOR, "function within eval blacklist called: %s()", function_name_lc);
+			    				efree(function_name_lc);
+							zend_bailout();
+						}
+					}
+				}
+				
+				if (HG(func_whitelist) != NULL) {
+					if (!zend_hash_exists(HG(func_whitelist), function_name_lc, fci->function_name->value.str.len+1)) {
+						zend_security_log(S_EXECUTOR, "function outside of whitelist called: %s()", function_name_lc);
+						efree(function_name_lc);
+						zend_bailout();
+					}
+				} else if (HG(func_blacklist) != NULL) {
+					if (zend_hash_exists(HG(func_blacklist), function_name_lc, fci->function_name->value.str.len+1)) {
+			    			zend_security_log(S_EXECUTOR, "function within blacklist called: %s()", function_name_lc);
+			    			efree(function_name_lc);
+						zend_bailout();
+					}
+				}
+			}
+#endif
 			efree(function_name_lc);
 		}
 
@@ -1076,7 +1110,7 @@
 	return zend_lookup_class_ex(name, name_length, 1, ce TSRMLS_CC);
 }
 
-ZEND_API int zend_eval_string(char *str, zval *retval_ptr, char *string_name TSRMLS_DC)
+ZEND_API int zend_eval_string_ex_ex(char *str, zval *retval_ptr, char *string_name, int type TSRMLS_DC)
 {
 	zval pv;
 	zend_op_array *new_op_array;
@@ -1109,6 +1143,7 @@
 		zval **original_return_value_ptr_ptr = EG(return_value_ptr_ptr);
 		zend_op **original_opline_ptr = EG(opline_ptr);
 
+		new_op_array->type = type;
 		EG(return_value_ptr_ptr) = &local_retval_ptr;
 		EG(active_op_array) = new_op_array;
 		EG(no_extensions)=1;
@@ -1143,6 +1178,12 @@
 }
 
 
+ZEND_API int zend_eval_string(char *str, zval *retval_ptr, char *string_name TSRMLS_DC)
+{
+	return (zend_eval_string_ex_ex(str, retval_ptr, string_name, ZEND_EVAL_CODE TSRMLS_CC));
+}
+
+
 ZEND_API int zend_eval_string_ex(char *str, zval *retval_ptr, char *string_name, int handle_exceptions TSRMLS_DC)
 {
 	int result;
diff -Nura php-5.1.4/Zend/zend_execute.c hardening-patch-5.1.4-0.4.15/Zend/zend_execute.c
--- php-5.1.4/Zend/zend_execute.c	2006-02-26 11:53:38.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/Zend/zend_execute.c	2006-09-05 20:31:06.000000000 +0200
@@ -1351,6 +1351,37 @@
 		/* OBJ-TBI - doesn't support new object model! */
 		zend_hash_apply(Z_OBJPROP_PP(pz), (apply_func_t) zend_check_symbol TSRMLS_CC);
 	}
+#if HARDENING_PATCH	
+	if (EG(in_code_type) == ZEND_EVAL_CODE) {
+		if (HG(eval_whitelist) != NULL) {
+			if (!zend_hash_exists(HG(eval_whitelist), lcname, function_name_strlen+1)) {
+			    zend_security_log(S_EXECUTOR, "function outside of eval whitelist called: %s()", lcname);
+			    efree(lcname);
+			    zend_bailout();
+			}
+		} else if (HG(eval_blacklist) != NULL) {
+			if (zend_hash_exists(HG(eval_blacklist), lcname, function_name_strlen+1)) {
+			    zend_security_log(S_EXECUTOR, "function within eval blacklist called: %s()", lcname);
+			    efree(lcname);
+			    zend_bailout();
+			}
+		}
+	}
+	
+	if (HG(func_whitelist) != NULL) {
+		if (!zend_hash_exists(HG(func_whitelist), lcname, function_name_strlen+1)) {
+		    zend_security_log(S_EXECUTOR, "function outside of whitelist called: %s()", lcname);
+		    efree(lcname);
+		    zend_bailout();
+		}
+	} else if (HG(func_blacklist) != NULL) {
+		if (zend_hash_exists(HG(func_blacklist), lcname, function_name_strlen+1)) {
+		    zend_security_log(S_EXECUTOR, "function within blacklist called: %s()", lcname);
+		    efree(lcname);
+		    zend_bailout();
+		}
+	}
+#endif
 
 	return 0;
 }
@@ -1396,6 +1427,7 @@
        efree(EX(Ts)); \
      } \
      EG(in_execution) = EX(original_in_execution); \
+     EG(in_code_type) = EX(original_in_code_type); \
      EG(current_execute_data) = EX(prev_execute_data); \
      ZEND_VM_RETURN()
 
diff -Nura php-5.1.4/Zend/zend_extensions.c hardening-patch-5.1.4-0.4.15/Zend/zend_extensions.c
--- php-5.1.4/Zend/zend_extensions.c	2006-01-05 00:53:04.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/Zend/zend_extensions.c	2006-09-05 20:31:06.000000000 +0200
@@ -55,23 +55,44 @@
 		return FAILURE;
 	}
 
+	/* check if module is compiled against Hardening-Patch */
+	if (extension_version_info->zend_extension_api_no < 1000000000) {
+		fprintf(stderr, "%s is not compiled with Hardening-Patch.\n"
+				"The Hardening-Patch version %d is installed.\n\n",
+				new_extension->name,
+				HARDENING_PATCH_ZEND_EXTENSION_API_NO);
+		DL_UNLOAD(handle);
+		return FAILURE;
+	}
+
+
+	/* check if module is compiled against correct Hardening-Patch version */
+	if (extension_version_info->zend_extension_api_no != HARDENING_PATCH_ZEND_EXTENSION_API_NO) {
+		fprintf(stderr, "%s requires Hardening-Patch version %d.\n"
+				"The Hardening-Patch version %d is installed.\n\n",
+				new_extension->name,
+				extension_version_info->zend_extension_api_no,
+				HARDENING_PATCH_ZEND_EXTENSION_API_NO);
+		DL_UNLOAD(handle);
+		return FAILURE;
+	}
 
 	/* allow extension to proclaim compatibility with any Zend version */
-	if (extension_version_info->zend_extension_api_no != ZEND_EXTENSION_API_NO &&(!new_extension->api_no_check || new_extension->api_no_check(ZEND_EXTENSION_API_NO) != SUCCESS)) {
-		if (extension_version_info->zend_extension_api_no > ZEND_EXTENSION_API_NO) {
+	if (extension_version_info->real_zend_extension_api_no != ZEND_EXTENSION_API_NO &&(!new_extension->api_no_check || new_extension->api_no_check(ZEND_EXTENSION_API_NO) != SUCCESS)) {
+		if (extension_version_info->real_zend_extension_api_no > ZEND_EXTENSION_API_NO) {
 			fprintf(stderr, "%s requires Zend Engine API version %d.\n"
 					"The Zend Engine API version %d which is installed, is outdated.\n\n",
 					new_extension->name,
-					extension_version_info->zend_extension_api_no,
+					extension_version_info->real_zend_extension_api_no,
 					ZEND_EXTENSION_API_NO);
 			DL_UNLOAD(handle);
 			return FAILURE;
-		} else if (extension_version_info->zend_extension_api_no < ZEND_EXTENSION_API_NO) {
+		} else if (extension_version_info->real_zend_extension_api_no < ZEND_EXTENSION_API_NO) {
 			fprintf(stderr, "%s requires Zend Engine API version %d.\n"
 					"The Zend Engine API version %d which is installed, is newer.\n"
 					"Contact %s at %s for a later version of %s.\n\n",
 					new_extension->name,
-					extension_version_info->zend_extension_api_no,
+					extension_version_info->real_zend_extension_api_no,
 					ZEND_EXTENSION_API_NO,
 					new_extension->author,
 					new_extension->URL,
diff -Nura php-5.1.4/Zend/zend_extensions.h hardening-patch-5.1.4-0.4.15/Zend/zend_extensions.h
--- php-5.1.4/Zend/zend_extensions.h	2006-01-05 00:53:04.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/Zend/zend_extensions.h	2006-09-05 20:31:06.000000000 +0200
@@ -24,9 +24,11 @@
 
 #include "zend_compile.h"
 
-/* The first number is the engine version and the rest is the date.
+/* The first API number is a flag saying that Hardening-Patch is used.
+ * The second number is the engine version and the date.
  * This way engine 2 API no. is always greater than engine 1 API no..
  */
+#define HARDENING_PATCH_ZEND_EXTENSION_API_NO	1022051106
 #define ZEND_EXTENSION_API_NO	220051025
 
 typedef struct _zend_extension_version_info {
@@ -34,6 +36,7 @@
 	char *required_zend_version;
 	unsigned char thread_safe;
 	unsigned char debug;
+	int real_zend_extension_api_no;
 } zend_extension_version_info;
 
 
@@ -101,7 +104,7 @@
 
 
 #define ZEND_EXTENSION()	\
-	ZEND_EXT_API zend_extension_version_info extension_version_info = { ZEND_EXTENSION_API_NO, ZEND_VERSION, ZTS_V, ZEND_DEBUG }
+	ZEND_EXT_API zend_extension_version_info extension_version_info = { HARDENING_PATCH_ZEND_EXTENSION_API_NO, ZEND_VERSION, ZTS_V, ZEND_DEBUG, ZEND_EXTENSION_API_NO }
 
 #define STANDARD_ZEND_EXTENSION_PROPERTIES NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, -1
 #define COMPAT_ZEND_EXTENSION_PROPERTIES   NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, -1
diff -Nura php-5.1.4/Zend/zend_globals.h hardening-patch-5.1.4-0.4.15/Zend/zend_globals.h
--- php-5.1.4/Zend/zend_globals.h	2006-01-05 00:53:04.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/Zend/zend_globals.h	2006-09-05 20:31:06.000000000 +0200
@@ -180,6 +180,16 @@
 
 	int error_reporting;
 	int orig_error_reporting;
+#if HARDENING_PATCH
+	int hphp_log_syslog;
+	int hphp_log_syslog_facility;
+	int hphp_log_syslog_priority;
+	int hphp_log_sapi;
+	int hphp_log_script;
+	char *hphp_log_scriptname;
+	zend_bool hphp_log_use_x_forwarded_for;
+	long hphp_executor_max_depth;
+#endif
 	int exit_status;
 
 	zend_op_array *active_op_array;
@@ -197,6 +207,7 @@
 	int ticks_count;
 
 	zend_bool in_execution;
+	zend_uint in_code_type;
 	HashTable *in_autoload;
 	zend_function *autoload_func;
 	zend_bool bailout_set;
diff -Nura php-5.1.4/Zend/zend.h hardening-patch-5.1.4-0.4.15/Zend/zend.h
--- php-5.1.4/Zend/zend.h	2006-03-30 23:39:01.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/Zend/zend.h	2006-09-05 20:31:06.000000000 +0200
@@ -297,6 +297,7 @@
 	/* Variable information */
 	zvalue_value value;		/* value */
 	zend_uint refcount;
+	zend_ushort flags;
 	zend_uchar type;	/* active type */
 	zend_uchar is_ref;
 };
@@ -382,6 +383,12 @@
 	int (*stream_open_function)(const char *filename, zend_file_handle *handle TSRMLS_DC);
 	int (*vspprintf_function)(char **pbuf, size_t max_len, const char *format, va_list ap);
 	char *(*getenv_function)(char *name, size_t name_len TSRMLS_DC);
+#if HARDENING_PATCH
+	void (*security_log_function)(int loglevel, char *fmt, ...);
+#endif	
+#if HARDENING_PATCH_INC_PROTECT
+	int (*is_valid_include)(zval *z);
+#endif
 } zend_utility_functions;
 
 		
@@ -519,7 +526,16 @@
 extern ZEND_API int (*zend_stream_open_function)(const char *filename, zend_file_handle *handle TSRMLS_DC);
 extern int (*zend_vspprintf)(char **pbuf, size_t max_len, const char *format, va_list ap);
 extern ZEND_API char *(*zend_getenv)(char *name, size_t name_len TSRMLS_DC);
+#if HARDENING_PATCH
+extern ZEND_API	void (*zend_security_log)(int loglevel, char *fmt, ...);
+#endif	
+#if HARDENING_PATCH_INC_PROTECT
+extern ZEND_API int (*zend_is_valid_include)(zval *z);
+#endif
 
+#if HARDENING_PATCH_MM_PROTECT || HARDENING_PATCH_LL_PROTECT || HARDENING_PATCH_HASH_PROTECT
+ZEND_API unsigned int zend_canary(void);
+#endif
 
 ZEND_API void zend_error(int type, const char *format, ...) ZEND_ATTRIBUTE_FORMAT(printf, 2, 3);
 
@@ -644,6 +660,11 @@
 
 #include "zend_variables.h"
 
+#if HARDENING_PATCH
+#include "hardened_globals.h"
+#include "php_syslog.h"
+#endif
+
 #endif /* ZEND_H */
 
 /*
diff -Nura php-5.1.4/Zend/zend_hash.c hardening-patch-5.1.4-0.4.15/Zend/zend_hash.c
--- php-5.1.4/Zend/zend_hash.c	2006-04-07 12:06:21.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/Zend/zend_hash.c	2006-09-05 20:31:06.000000000 +0200
@@ -21,6 +21,18 @@
 
 #include "zend.h"
 
+#if HARDENING_PATCH_HASH_PROTECT
+	unsigned int zend_hash_canary = 0x1234567;
+	zend_bool zend_hash_canary_inited = 0;
+#endif
+
+#define CHECK_HASH_CANARY(hash) \
+	if (zend_hash_canary != (hash)->canary) { \
+		zend_security_log(S_MEMORY, "Zend HashTable canary was overwritten"); \
+		exit(1); \
+	}
+
+
 #define CONNECT_TO_BUCKET_DLLIST(element, list_head)		\
 	(element)->pNext = (list_head);							\
 	(element)->pLast = NULL;								\
@@ -138,6 +150,9 @@
 {
 	uint i = 3;
 	Bucket **tmp;
+#if HARDENING_PATCH_HASH_PROTECT
+	TSRMLS_FETCH();	
+#endif	
 
 	SET_INCONSISTENT(HT_OK);
 
@@ -147,6 +162,13 @@
 
 	ht->nTableSize = 1 << i;
 	ht->nTableMask = ht->nTableSize - 1;
+#if HARDENING_PATCH_HASH_PROTECT
+	if (zend_hash_canary_inited==0) {
+		zend_hash_canary = zend_canary();
+		zend_hash_canary_inited = 1;
+	}
+	ht->canary = zend_hash_canary;
+#endif
 	ht->pDestructor = pDestructor;
 	ht->arBuckets = NULL;
 	ht->pListHead = NULL;
@@ -226,6 +248,9 @@
 				}
 #endif
 				if (ht->pDestructor) {
+#if HARDENING_PATCH_HASH_PROTECT
+					CHECK_HASH_CANARY(ht);
+#endif	
 					ht->pDestructor(p->pData);
 				}
 				UPDATE_DATA(ht, p, pData, nDataSize);
@@ -291,6 +316,9 @@
 				}
 #endif
 				if (ht->pDestructor) {
+#if HARDENING_PATCH_HASH_PROTECT
+					CHECK_HASH_CANARY(ht);
+#endif	
 					ht->pDestructor(p->pData);
 				}
 				UPDATE_DATA(ht, p, pData, nDataSize);
@@ -366,6 +394,9 @@
 			}
 #endif
 			if (ht->pDestructor) {
+#if HARDENING_PATCH_HASH_PROTECT
+				CHECK_HASH_CANARY(ht);
+#endif	
 				ht->pDestructor(p->pData);
 			}
 			UPDATE_DATA(ht, p, pData, nDataSize);
@@ -414,7 +445,7 @@
 	IS_CONSISTENT(ht);
 
 	if ((ht->nTableSize << 1) > 0) {	/* Let's double the table size */
-		t = (Bucket **) perealloc_recoverable(ht->arBuckets, (ht->nTableSize << 1) * sizeof(Bucket *), ht->persistent);
+		t = (Bucket **) perealloc(ht->arBuckets, (ht->nTableSize << 1) * sizeof(Bucket *), ht->persistent);
 		if (t) {
 			HANDLE_BLOCK_INTERRUPTIONS();
 			ht->arBuckets = t;
@@ -424,6 +455,7 @@
 			HANDLE_UNBLOCK_INTERRUPTIONS();
 			return SUCCESS;
 		}
+		zend_error(E_ERROR, "zend_hash_do_resize - out of memory");
 		return FAILURE;
 	}
 	return SUCCESS;
@@ -489,6 +521,9 @@
 				ht->pInternalPointer = p->pListNext;
 			}
 			if (ht->pDestructor) {
+#if HARDENING_PATCH_HASH_PROTECT
+				CHECK_HASH_CANARY(ht);
+#endif	
 				ht->pDestructor(p->pData);
 			}
 			if (p->pData != &p->pDataPtr) {
@@ -513,6 +548,11 @@
 
 	SET_INCONSISTENT(HT_IS_DESTROYING);
 
+#if HARDENING_PATCH_HASH_PROTECT
+	if (ht->pDestructor) {
+		CHECK_HASH_CANARY(ht);
+	}
+#endif	
 	p = ht->pListHead;
 	while (p != NULL) {
 		q = p;
@@ -539,6 +579,11 @@
 
 	SET_INCONSISTENT(HT_CLEANING);
 
+#if HARDENING_PATCH_HASH_PROTECT
+	if (ht->pDestructor) {
+		CHECK_HASH_CANARY(ht);
+	}
+#endif	
 	p = ht->pListHead;
 	while (p != NULL) {
 		q = p;
@@ -573,6 +618,9 @@
 	HANDLE_BLOCK_INTERRUPTIONS();
 
 	if (ht->pDestructor) {
+#if HARDENING_PATCH_HASH_PROTECT
+		CHECK_HASH_CANARY(ht);
+#endif	
 		ht->pDestructor(p->pData);
 	}
 	if (p->pData != &p->pDataPtr) {
diff -Nura php-5.1.4/Zend/zend_hash.h hardening-patch-5.1.4-0.4.15/Zend/zend_hash.h
--- php-5.1.4/Zend/zend_hash.h	2006-01-05 00:53:04.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/Zend/zend_hash.h	2006-09-05 20:31:06.000000000 +0200
@@ -58,6 +58,9 @@
 } Bucket;
 
 typedef struct _hashtable {
+#if HARDENING_PATCH_HASH_PROTECT
+	unsigned int canary;
+#endif	
 	uint nTableSize;
 	uint nTableMask;
 	uint nNumOfElements;
diff -Nura php-5.1.4/Zend/zend_ini.c hardening-patch-5.1.4-0.4.15/Zend/zend_ini.c
--- php-5.1.4/Zend/zend_ini.c	2006-01-05 00:53:04.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/Zend/zend_ini.c	2006-09-07 19:13:18.000000000 +0200
@@ -256,7 +256,8 @@
 	zend_ini_entry *ini_entry;
 	TSRMLS_FETCH();
 
-	if (zend_hash_find(EG(ini_directives), name, name_length, (void **) &ini_entry)==FAILURE) {
+	if (zend_hash_find(EG(ini_directives), name, name_length, (void **) &ini_entry)==FAILURE ||
+	    (stage == ZEND_INI_STAGE_RUNTIME && (ini_entry->modifiable & ZEND_INI_USER) == 0)) {
 		return FAILURE;
 	}
 
diff -Nura php-5.1.4/Zend/zend_language_scanner.l hardening-patch-5.1.4-0.4.15/Zend/zend_language_scanner.l
--- php-5.1.4/Zend/zend_language_scanner.l	2006-04-13 15:48:28.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/Zend/zend_language_scanner.l	2006-09-05 20:31:06.000000000 +0200
@@ -389,6 +389,13 @@
 		compilation_successful=0;
 	} else {
 		init_op_array(op_array, ZEND_USER_FUNCTION, INITIAL_OP_ARRAY_SIZE TSRMLS_CC);
+#if HARDENING_PATCH
+		if (EG(in_code_type)==ZEND_EVAL_CODE) {
+			op_array->created_by_eval = 1;
+		} else {
+			op_array->created_by_eval = 0;
+		}
+#endif
 		CG(in_compilation) = 1;
 		CG(active_op_array) = op_array;
 		compiler_result = zendparse(TSRMLS_C);
diff -Nura php-5.1.4/Zend/zend_language_scanner.c hardening-patch-5.1.4-0.4.15/Zend/zend_language_scanner.c
--- php-5.1.4/Zend/zend_language_scanner.c	2006-05-12 16:41:13.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/Zend/zend_language_scanner.c	2006-09-05 20:31:06.000000000 +0200
@@ -3075,6 +3075,13 @@
 		compilation_successful=0;
 	} else {
 		init_op_array(op_array, ZEND_USER_FUNCTION, INITIAL_OP_ARRAY_SIZE TSRMLS_CC);
+#if HARDENING_PATCH
+		if (EG(in_code_type)==ZEND_EVAL_CODE) {
+			op_array->created_by_eval = 1;
+		} else {
+			op_array->created_by_eval = 0;
+		}
+#endif
 		CG(in_compilation) = 1;
 		CG(active_op_array) = op_array;
 		compiler_result = zendparse(TSRMLS_C);
diff -Nura php-5.1.4/Zend/zend_llist.c hardening-patch-5.1.4-0.4.15/Zend/zend_llist.c
--- php-5.1.4/Zend/zend_llist.c	2006-01-05 00:53:04.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/Zend/zend_llist.c	2006-09-05 20:31:06.000000000 +0200
@@ -22,9 +22,49 @@
 #include "zend.h"
 #include "zend_llist.h"
 #include "zend_qsort.h"
+#include "zend_globals.h"
+
+#if HARDENING_PATCH_LL_PROTECT
+	unsigned int zend_llist_canary_1 = 0x1234567;
+	unsigned int zend_llist_canary_2 = 0x1553425;
+	zend_bool zend_llist_canary_inited = 0;
+#endif
+
+#define CHECK_LIST_CANARY(list) \
+	if (((list)->persistent && (zend_llist_canary_1 != (list)->canary_h || zend_llist_canary_2 != (list)->canary_t)) \
+             ||(!(list)->persistent && (HG(canary_3) != (list)->canary_h || HG(canary_4) != (list)->canary_t))) { \
+		zend_security_log(S_MEMORY, "linked list canary was overwritten"); \
+		exit(1); \
+	}
+
+#define CHECK_LISTELEMENT_CANARY(elem, list) \
+	if (((list)->persistent && zend_llist_canary_1 != (elem)->canary)||(!(list)->persistent && HG(canary_3) != (elem)->canary)) { \
+		zend_security_log(S_MEMORY, "linked list element canary was overwritten"); \
+		exit(1); \
+	}
+
 
 ZEND_API void zend_llist_init(zend_llist *l, size_t size, llist_dtor_func_t dtor, unsigned char persistent)
 {
+#if HARDENING_PATCH_LL_PROTECT
+	TSRMLS_FETCH();	
+	
+        if (persistent) {
+                if (!zend_llist_canary_inited) {
+                        /* do not change order to ensure thread safety */
+                        zend_llist_canary_1 = zend_canary();
+                        zend_llist_canary_2 = zend_canary();
+                        zend_llist_canary_inited = 1;
+                }
+        } else
+	if (!HG(ll_canary_inited)) {
+		HG(canary_3) = zend_canary();
+		HG(canary_4) = zend_canary();
+		HG(ll_canary_inited) = 1;
+	}
+	l->canary_h = persistent ? zend_llist_canary_1 : HG(canary_3);
+	l->canary_t = persistent ? zend_llist_canary_2 : HG(canary_4);
+#endif
 	l->head  = NULL;
 	l->tail  = NULL;
 	l->count = 0;
@@ -38,6 +78,11 @@
 {
 	zend_llist_element *tmp = pemalloc(sizeof(zend_llist_element)+l->size-1, l->persistent);
 
+#if HARDENING_PATCH_LL_PROTECT
+	TSRMLS_FETCH();	
+	CHECK_LIST_CANARY(l)
+	tmp->canary = l->persistent ? zend_llist_canary_1 : HG(canary_3);
+#endif
 	tmp->prev = l->tail;
 	tmp->next = NULL;
 	if (l->tail) {
@@ -56,6 +101,11 @@
 {
 	zend_llist_element *tmp = pemalloc(sizeof(zend_llist_element)+l->size-1, l->persistent);
 
+#if HARDENING_PATCH_LL_PROTECT
+	TSRMLS_FETCH();	
+	CHECK_LIST_CANARY(l)
+	tmp->canary = l->persistent ? zend_llist_canary_1 : HG(canary_3);
+#endif
 	tmp->next = l->head;
 	tmp->prev = NULL;
 	if (l->head) {
@@ -93,10 +143,20 @@
 	zend_llist_element *current=l->head;
 	zend_llist_element *next;
 
+#if HARDENING_PATCH_LL_PROTECT
+	TSRMLS_FETCH();	
+	CHECK_LIST_CANARY(l)
+#endif
 	while (current) {
+#if HARDENING_PATCH_LL_PROTECT
+		CHECK_LISTELEMENT_CANARY(current, l)
+#endif
 		next = current->next;
 		if (compare(current->data, element)) {
 			DEL_LLIST_ELEMENT(current, l);
+#if HARDENING_PATCH_LL_PROTECT
+			current->canary = 0;
+#endif
 			break;
 		}
 		current = next;
@@ -108,7 +168,14 @@
 {
 	zend_llist_element *current=l->head, *next;
 	
+#if HARDENING_PATCH_LL_PROTECT
+	TSRMLS_FETCH();	
+	CHECK_LIST_CANARY(l)
+#endif
 	while (current) {
+#if HARDENING_PATCH_LL_PROTECT
+		CHECK_LISTELEMENT_CANARY(current, l)
+#endif
 		next = current->next;
 		if (l->dtor) {
 			l->dtor(current->data);
@@ -133,7 +200,14 @@
 	zend_llist_element *old_tail;
 	void *data;
 
+#if HARDENING_PATCH_LL_PROTECT
+	TSRMLS_FETCH();	
+	CHECK_LIST_CANARY(l)
+#endif
 	if ((old_tail = l->tail)) {
+#if HARDENING_PATCH_LL_PROTECT
+		CHECK_LISTELEMENT_CANARY(old_tail, l)
+#endif
 		if (l->tail->prev) {
 			l->tail->prev->next = NULL;
 		}
@@ -159,9 +233,16 @@
 {
 	zend_llist_element *ptr;
 
+#if HARDENING_PATCH_LL_PROTECT
+	TSRMLS_FETCH();	
+	CHECK_LIST_CANARY(src)
+#endif
 	zend_llist_init(dst, src->size, src->dtor, src->persistent);
 	ptr = src->head;
 	while (ptr) {
+#if HARDENING_PATCH_LL_PROTECT
+		CHECK_LISTELEMENT_CANARY(ptr, src)
+#endif
 		zend_llist_add_element(dst, ptr->data);
 		ptr = ptr->next;
 	}
@@ -172,11 +253,21 @@
 {
 	zend_llist_element *element, *next;
 
+#if HARDENING_PATCH_LL_PROTECT
+	TSRMLS_FETCH();	
+	CHECK_LIST_CANARY(l)
+#endif
 	element=l->head;
 	while (element) {
+#if HARDENING_PATCH_LL_PROTECT
+		CHECK_LISTELEMENT_CANARY(element, l)
+#endif
 		next = element->next;
 		if (func(element->data)) {
 			DEL_LLIST_ELEMENT(element, l);
+#if HARDENING_PATCH_LL_PROTECT
+			element->canary = 0;
+#endif
 		}
 		element = next;
 	}
@@ -187,7 +278,13 @@
 {
 	zend_llist_element *element;
 
+#if HARDENING_PATCH_LL_PROTECT
+	CHECK_LIST_CANARY(l)
+#endif
 	for (element=l->head; element; element=element->next) {
+#if HARDENING_PATCH_LL_PROTECT
+		CHECK_LISTELEMENT_CANARY(element, l)
+#endif
 		func(element->data TSRMLS_CC);
 	}
 }
@@ -199,6 +296,9 @@
 	zend_llist_element **elements;
 	zend_llist_element *element, **ptr;
 
+#if HARDENING_PATCH_LL_PROTECT
+	CHECK_LIST_CANARY(l)
+#endif
 	if (l->count <= 0) {
 		return;
 	}
@@ -208,6 +308,9 @@
 	ptr = &elements[0];
 
 	for (element=l->head; element; element=element->next) {
+#if HARDENING_PATCH_LL_PROTECT
+		CHECK_LISTELEMENT_CANARY(element, l)
+#endif
 		*ptr++ = element;
 	}
 
@@ -230,7 +333,13 @@
 {
 	zend_llist_element *element;
 
+#if HARDENING_PATCH_LL_PROTECT
+	CHECK_LIST_CANARY(l)
+#endif
 	for (element=l->head; element; element=element->next) {
+#if HARDENING_PATCH_LL_PROTECT
+		CHECK_LISTELEMENT_CANARY(element, l)
+#endif
 		func(element->data, arg TSRMLS_CC);
 	}
 }
@@ -241,8 +350,14 @@
 	zend_llist_element *element;
 	va_list args;
 
+#if HARDENING_PATCH_LL_PROTECT
+	CHECK_LIST_CANARY(l)
+#endif
 	va_start(args, num_args);
 	for (element=l->head; element; element=element->next) {
+#if HARDENING_PATCH_LL_PROTECT
+		CHECK_LISTELEMENT_CANARY(element, l)
+#endif
 		func(element->data, num_args, args TSRMLS_CC);
 	}
 	va_end(args);
@@ -251,6 +366,10 @@
 
 ZEND_API int zend_llist_count(zend_llist *l)
 {
+#if HARDENING_PATCH_LL_PROTECT
+	TSRMLS_FETCH();
+	CHECK_LIST_CANARY(l)
+#endif
 	return l->count;
 }
 
@@ -259,8 +378,15 @@
 {
 	zend_llist_position *current = pos ? pos : &l->traverse_ptr;
 
+#if HARDENING_PATCH_LL_PROTECT
+	TSRMLS_FETCH();
+	CHECK_LIST_CANARY(l)
+#endif
 	*current = l->head;
 	if (*current) {
+#if HARDENING_PATCH_LL_PROTECT
+		CHECK_LISTELEMENT_CANARY(*current, l)
+#endif
 		return (*current)->data;
 	} else {
 		return NULL;
@@ -272,8 +398,15 @@
 {
 	zend_llist_position *current = pos ? pos : &l->traverse_ptr;
 
+#if HARDENING_PATCH_LL_PROTECT
+	TSRMLS_FETCH();
+	CHECK_LIST_CANARY(l)
+#endif
 	*current = l->tail;
 	if (*current) {
+#if HARDENING_PATCH_LL_PROTECT
+		CHECK_LISTELEMENT_CANARY(*current, l)
+#endif
 		return (*current)->data;
 	} else {
 		return NULL;
@@ -285,9 +418,19 @@
 {
 	zend_llist_position *current = pos ? pos : &l->traverse_ptr;
 
+#if HARDENING_PATCH_LL_PROTECT
+	TSRMLS_FETCH();
+	CHECK_LIST_CANARY(l)
+#endif
 	if (*current) {
+#if HARDENING_PATCH_LL_PROTECT
+		CHECK_LISTELEMENT_CANARY(*current, l)
+#endif
 		*current = (*current)->next;
 		if (*current) {
+#if HARDENING_PATCH_LL_PROTECT
+			CHECK_LISTELEMENT_CANARY(*current, l)
+#endif
 			return (*current)->data;
 		}
 	}
@@ -299,9 +442,19 @@
 {
 	zend_llist_position *current = pos ? pos : &l->traverse_ptr;
 
+#if HARDENING_PATCH_LL_PROTECT
+	TSRMLS_FETCH();
+	CHECK_LIST_CANARY(l)
+#endif
 	if (*current) {
+#if HARDENING_PATCH_LL_PROTECT
+		CHECK_LISTELEMENT_CANARY(*current, l)
+#endif
 		*current = (*current)->prev;
 		if (*current) {
+#if HARDENING_PATCH_LL_PROTECT
+			CHECK_LISTELEMENT_CANARY(*current, l)
+#endif
 			return (*current)->data;
 		}
 	}
diff -Nura php-5.1.4/Zend/zend_llist.h hardening-patch-5.1.4-0.4.15/Zend/zend_llist.h
--- php-5.1.4/Zend/zend_llist.h	2006-01-05 00:53:04.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/Zend/zend_llist.h	2006-09-05 20:31:06.000000000 +0200
@@ -23,6 +23,9 @@
 #define ZEND_LLIST_H
 
 typedef struct _zend_llist_element {
+#if HARDENING_PATCH_LL_PROTECT
+	unsigned int canary, padding;
+#endif	
 	struct _zend_llist_element *next;
 	struct _zend_llist_element *prev;
 	char data[1]; /* Needs to always be last in the struct */
@@ -35,6 +38,9 @@
 typedef void (*llist_apply_func_t)(void * TSRMLS_DC);
 
 typedef struct _zend_llist {
+#if HARDENING_PATCH_LL_PROTECT
+	unsigned int canary_h; /* head */
+#endif	
 	zend_llist_element *head;
 	zend_llist_element *tail;
 	size_t count;
@@ -42,6 +48,9 @@
 	llist_dtor_func_t dtor;
 	unsigned char persistent;
 	zend_llist_element *traverse_ptr;
+#if HARDENING_PATCH_LL_PROTECT
+	unsigned int canary_t; /* tail */
+#endif	
 } zend_llist;
 
 typedef zend_llist_element* zend_llist_position;
diff -Nura php-5.1.4/Zend/zend_modules.h hardening-patch-5.1.4-0.4.15/Zend/zend_modules.h
--- php-5.1.4/Zend/zend_modules.h	2006-04-06 23:10:45.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/Zend/zend_modules.h	2006-09-05 20:31:06.000000000 +0200
@@ -39,6 +39,7 @@
 extern struct _zend_arg_info fifth_arg_force_ref[6];
 extern struct _zend_arg_info all_args_by_ref[1];
 
+#define HARDENING_PATCH_ZEND_MODULE_API_NO 1002051106
 #define ZEND_MODULE_API_NO 20050922
 #ifdef ZTS
 #define USING_ZTS 1
@@ -46,13 +47,13 @@
 #define USING_ZTS 0
 #endif
 
-#define STANDARD_MODULE_HEADER_EX sizeof(zend_module_entry), ZEND_MODULE_API_NO, ZEND_DEBUG, USING_ZTS
+#define STANDARD_MODULE_HEADER_EX sizeof(zend_module_entry), HARDENING_PATCH_ZEND_MODULE_API_NO, ZEND_DEBUG, USING_ZTS
 #define STANDARD_MODULE_HEADER \
 	STANDARD_MODULE_HEADER_EX, NULL, NULL
 #define ZE2_STANDARD_MODULE_HEADER \
 	STANDARD_MODULE_HEADER_EX, ini_entries, NULL
 
-#define STANDARD_MODULE_PROPERTIES_EX 0, 0, 0, NULL, 0
+#define STANDARD_MODULE_PROPERTIES_EX 0, 0, 0, NULL, 0, ZEND_MODULE_API_NO
 
 #define STANDARD_MODULE_PROPERTIES \
 	NULL, STANDARD_MODULE_PROPERTIES_EX
@@ -87,6 +88,7 @@
 	unsigned char type;
 	void *handle;
 	int module_number;
+	unsigned int real_zend_api;
 };
 
 #define MODULE_DEP_REQUIRED		1
diff -Nura php-5.1.4/Zend/zend_opcode.c hardening-patch-5.1.4-0.4.15/Zend/zend_opcode.c
--- php-5.1.4/Zend/zend_opcode.c	2006-04-10 14:26:53.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/Zend/zend_opcode.c	2006-09-05 20:31:06.000000000 +0200
@@ -98,6 +98,9 @@
 	op_array->uses_this = 0;
 
 	op_array->start_op = NULL;
+#if HARDENING_PATCH
+	op_array->created_by_eval = 0;
+#endif
 
 	zend_llist_apply_with_argument(&zend_extensions, (llist_apply_with_arg_func_t) zend_extension_op_array_ctor_handler, op_array TSRMLS_CC);
 }
diff -Nura php-5.1.4/Zend/zend_vm_def.h hardening-patch-5.1.4-0.4.15/Zend/zend_vm_def.h
--- php-5.1.4/Zend/zend_vm_def.h	2006-04-12 13:37:50.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/Zend/zend_vm_def.h	2006-09-05 20:31:06.000000000 +0200
@@ -1769,6 +1769,37 @@
 		efree(lcname);
 		zend_error_noreturn(E_ERROR, "Call to undefined function %s()", function_name_strval);
 	}
+#if HARDENING_PATCH	
+	if (EG(in_code_type) == ZEND_EVAL_CODE) {
+		if (HG(eval_whitelist) != NULL) {
+			if (!zend_hash_exists(HG(eval_whitelist), lcname, function_name_strlen+1)) {
+			    zend_security_log(S_EXECUTOR, "function outside of eval whitelist called: %s()", lcname);
+			    efree(lcname);
+			    zend_bailout();
+			}
+		} else if (HG(eval_blacklist) != NULL) {
+			if (zend_hash_exists(HG(eval_blacklist), lcname, function_name_strlen+1)) {
+			    zend_security_log(S_EXECUTOR, "function within eval blacklist called: %s()", lcname);
+			    efree(lcname);
+			    zend_bailout();
+			}
+		}
+	}
+	
+	if (HG(func_whitelist) != NULL) {
+		if (!zend_hash_exists(HG(func_whitelist), lcname, function_name_strlen+1)) {
+		    zend_security_log(S_EXECUTOR, "function outside of whitelist called: %s()", lcname);
+		    efree(lcname);
+		    zend_bailout();
+		}
+	} else if (HG(func_blacklist) != NULL) {
+		if (zend_hash_exists(HG(func_blacklist), lcname, function_name_strlen+1)) {
+		    zend_security_log(S_EXECUTOR, "function within blacklist called: %s()", lcname);
+		    efree(lcname);
+		    zend_bailout();
+		}
+	}
+#endif
 
 	efree(lcname);
 	if (OP2_TYPE != IS_CONST) {
@@ -1994,6 +2025,34 @@
 	if (zend_hash_find(EG(function_table), fname->value.str.val, fname->value.str.len+1, (void **) &EX(function_state).function)==FAILURE) {
 		zend_error_noreturn(E_ERROR, "Unknown function:  %s()", fname->value.str.val);
 	}
+#if HARDENING_PATCH	
+	if (EG(in_code_type) == ZEND_EVAL_CODE) {
+		if (HG(eval_whitelist) != NULL) {
+			if (!zend_hash_exists(HG(eval_whitelist), fname->value.str.val, fname->value.str.len+1)) {
+			    zend_security_log(S_EXECUTOR, "function outside of eval whitelist called: %s()", fname->value.str.val);
+			    zend_bailout();
+			}
+		} else if (HG(eval_blacklist) != NULL) {
+			if (zend_hash_exists(HG(eval_blacklist), fname->value.str.val, fname->value.str.len+1)) {
+			    zend_security_log(S_EXECUTOR, "function within eval blacklist called: %s()", fname->value.str.val);
+			    zend_bailout();
+			}
+		}
+	}
+
+	if (HG(func_whitelist) != NULL) {
+		if (!zend_hash_exists(HG(func_whitelist), fname->value.str.val, fname->value.str.len+1)) {
+		    zend_security_log(S_EXECUTOR, "function outside of whitelist called: %s()", fname->value.str.val);
+		    zend_bailout();
+		}
+	} else if (HG(func_blacklist) != NULL) {
+		if (zend_hash_exists(HG(func_blacklist), fname->value.str.val, fname->value.str.len+1)) {
+		    zend_security_log(S_EXECUTOR, "function within blacklist called: %s()", fname->value.str.val);
+		    zend_bailout();
+		}
+	}
+#endif
+
 	EX(object) = NULL;
 
 	FREE_OP1();
@@ -2709,7 +2768,12 @@
 				int dummy = 1;
 				zend_file_handle file_handle;
 
-				if (SUCCESS == zend_stream_open(inc_filename->value.str.val, &file_handle TSRMLS_CC)) {
+#if HARDENING_PATCH_INC_PROTECT
+				if (zend_is_valid_include(inc_filename) 
+					&& (SUCCESS == zend_stream_open(inc_filename->value.str.val, &file_handle TSRMLS_CC))) {
+#else
+ 				if (SUCCESS == zend_stream_open(inc_filename->value.str.val, &file_handle TSRMLS_CC)) {
+#endif
 
 					if (!file_handle.opened_path) {
 						file_handle.opened_path = estrndup(inc_filename->value.str.val, inc_filename->value.str.len);
@@ -2734,6 +2798,11 @@
 			break;
 		case ZEND_INCLUDE:
 		case ZEND_REQUIRE:
+#if HARDENING_PATCH_INC_PROTECT
+			if (!zend_is_valid_include(inc_filename)) {
+        			break;
+			}
+#endif
 			new_op_array = compile_filename(opline->op2.u.constant.value.lval, inc_filename TSRMLS_CC);
 			break;
 		case ZEND_EVAL: {
diff -Nura php-5.1.4/Zend/zend_vm_execute.h hardening-patch-5.1.4-0.4.15/Zend/zend_vm_execute.h
--- php-5.1.4/Zend/zend_vm_execute.h	2006-04-12 13:37:50.000000000 +0200
+++ hardening-patch-5.1.4-0.4.15/Zend/zend_vm_execute.h	2006-09-05 20:31:07.000000000 +0200
@@ -56,6 +56,16 @@
 	EX(symbol_table) = EG(active_symbol_table);
 	EX(prev_execute_data) = EG(current_execute_data);
 	EG(current_execute_data) = &execute_data;
+#if HARDENING_PATCH	
+	EX(execute_depth) = 0;
+
+	if ((op_array->type == ZEND_EVAL_CODE || op_array->created_by_eval)&& EG(in_code_type) != ZEND_SANDBOX_CODE) {
+		EG(in_code_type) = ZEND_EVAL_CODE;
+	} else if (op_array->type == ZEND_SANDBOX_CODE) {
+		EG(in_code_type) = ZEND_SANDBOX_CODE;
+		op_array->type = ZEND_EVAL_CODE;
+	}
+#endif
 
 	EG(in_execution) = 1;
 	if (op_array->start_op) {
@@ -81,6 +91,18 @@
 	 */
 	EX(function_state).function_symbol_table = NULL;
 #endif
+#if HARDENING_PATCH	
+	if (EX(prev_execute_data) == NULL) {
+		EX(execute_depth) = 0;
+	} else {
+		EX(execute_depth) = EX(prev_execute_data)->execute_depth + 1;
+	}
+
+	if (EG(hphp_executor_max_depth) > 0 && EX(execute_depth) > EG(hphp_executor_max_depth)) {
+		zend_security_log(S_EXECUTOR, "Maximum execution depth of %u violated", EG(hphp_executor_max_depth));
+		zend_bailout();
+	}
+#endif
 	
 	while (1) {
 #ifdef ZEND_WIN32
@@ -724,6 +746,37 @@
 		efree(lcname);
 		zend_error_noreturn(E_ERROR, "Call to undefined function %s()", function_name_strval);
 	}
+#if HARDENING_PATCH	
+	if (EG(in_code_type) == ZEND_EVAL_CODE) {
+		if (HG(eval_whitelist) != NULL) {
+			if (!zend_hash_exists(HG(eval_whitelist), lcname, function_name_strlen+1)) {
+			    zend_security_log(S_EXECUTOR, "function outside of eval whitelist called: %s()", lcname);
+			    efree(lcname);
+			    zend_bailout();
+			}
+		} else if (HG(eval_blacklist) != NULL) {
+			if (zend_hash_exists(HG(eval_blacklist), lcname, function_name_strlen+1)) {
+			    zend_security_log(S_EXECUTOR, "function within eval blacklist called: %s()", lcname);
+			    efree(lcname);
+			    zend_bailout();
+			}
+		}
+	}
+	
+	if (HG(func_whitelist) != NULL) {
+		if (!zend_hash_exists(HG(func_whitelist), lcname, function_name_strlen+1)) {
+		    zend_security_log(S_EXECUTOR, "function outside of whitelist called: %s()", lcname);
+		    efree(lcname);
+		    zend_bailout();
+		}
+	} else if (HG(func_blacklist) != NULL) {
+		if (zend_hash_exists(HG(func_blacklist), lcname, function_name_strlen+1)) {
+		    zend_security_log(S_EXECUTOR, "function within blacklist called: %s()", lcname);
+		    efree(lcname);
+		    zend_bailout();
+		}
+	}
+#endif
 
 	efree(lcname);
 	if (IS_CONST != IS_CONST) {
@@ -925,6 +978,37 @@
 		efree(lcname);
 		zend_error_noreturn(E_ERROR, "Call to undefined function %s()", function_name_strval);
 	}
+#if HARDENING_PATCH	
+	if (EG(in_code_type) == ZEND_EVAL_CODE) {
+		if (HG(eval_whitelist) != NULL) {
+			if (!zend_hash_exists(HG(eval_whitelist), lcname, function_name_strlen+1)) {
+			    zend_security_log(S_EXECUTOR, "function outside of eval whitelist called: %s()", lcname);
+			    efree(lcname);
+			    zend_bailout();
+			}
+		} else if (HG(eval_blacklist) != NULL) {
+			if (zend_hash_exists(HG(eval_blacklist), lcname, function_name_strlen+1)) {
+			    zend_security_log(S_EXECUTOR, "function within eval blacklist called: %s()", lcname);
+			    efree(lcname);
+			    zend_bailout();
+			}
+		}
+	}
+	
+	if (HG(func_whitelist) != NULL) {
+		if (!zend_hash_exists(HG(func_whitelist), lcname, function_name_strlen+1)) {
+		    zend_security_log(S_EXECUTOR, "function outside of whitelist called: %s()", lcname);
+		    efree(lcname);
+		    zend_bailout();
+		}
+	} else if (HG(func_blacklist) != NULL) {
+		if (zend_hash_exists(HG(func_blacklist), lcname, function_name_strlen+1)) {
+		    zend_security_log(S_EXECUTOR, "function within blacklist called: %s()", lcname);
+		    efree(lcname);
+		    zend_bailout();
+		}
+	}
+#endif
 
 	efree(lcname);
 	if (IS_TMP_VAR != IS_CONST) {
@@ -1083,6 +1167,37 @@
 		efree(lcname);
 		zend_error_noreturn(E_ERROR, "Call to undefined function %s()", function_name_strval);
 	}
+#if HARDENING_PATCH	
+	if (EG(in_code_type) == ZEND_EVAL_CODE) {
+		if (HG(eval_whitelist) != NULL) {
+			if (!zend_hash_exists(HG(eval_whitelist), lcname, function_name_strlen+1)) {
+			    zend_security_log(S_EXECUTOR, "function outside of eval whitelist called: %s()", lcname);
+			    efree(lcname);
+			    zend_bailout();
+			}
+		} else if (HG(eval_blacklist) != NULL) {
+			if (zend_hash_exists(HG(eval_blacklist), lcname, function_name_strlen+1)) {
+			    zend_security_log(S_EXECUTOR, "function within eval blacklist called: %s()", lcname);
+			    efree(lcname);
+			    zend_bailout();
+			}
+		}
+	}
+	
+	if (HG(func_whitelist) != NULL) {
+		if (!zend_hash_exists(HG(func_whitelist), lcname, function_name_strlen+1)) {
+		    zend_security_log(S_EXECUTOR, "function outside of whitelist called: %s()", lcname);
+		    efree(lcname);
+		    zend_bailout();
+		}
+	} else if (HG(func_blacklist) != NULL) {
+		if (zend_hash_exists(HG(func_blacklist), lcname, function_name_strlen+1)) {
+		    zend_security_log(S_EXECUTOR, "function within blacklist called: %s()", lcname);
+		    efree(lcname);
+		    zend_bailout();
+		}
+	}
+#endif
 
 	efree(lcname);
 	if (IS_VAR != IS_CONST) {
@@ -1330,6 +1445,37 @@
 		efree(lcname);
 		zend_error_noreturn(E_ERROR, "Call to undefined function %s()", function_name_strval);
 	}
+#if HARDENING_PATCH	
+	if (EG(in_code_type) == ZEND_EVAL_CODE) {
+		if (HG(eval_whitelist) != NULL) {
+			if (!zend_hash_exists(HG(eval_whitelist), lcname, function_name_strlen+1)) {
+			    zend_security_log(S_EXECUTOR, "function outside of eval whitelist called: %s()", lcname);
+			    efree(lcname);
+			    zend_bailout();
+			}
+		} else if (HG(eval_blacklist) != NULL) {
+			if (zend_hash_exists(HG(eval_blacklist), lcname, function_name_strlen+1)) {
+			    zend_security_log(S_EXECUTOR, "function within eval blacklist called: %s()", lcname);
+			    efree(lcname);
+			    zend_bailout();
+			}
+		}
+	}
+	
+	if (HG(func_whitelist) != NULL) {
+		if (!zend_hash_exists(HG(func_whitelist), lcname, function_name_strlen+1)) {
+		    zend_security_log(S_EXECUTOR, "function outside of whitelist called: %s()", lcname);
+		    efree(lcname);
+		    zend_bailout();
+		}
+	} else if (HG(func_blacklist) != NULL) {
+		if (zend_hash_exists(HG(func_blacklist), lcname, function_name_strlen+1)) {
+		    zend_security_log(S_EXECUTOR, "function within blacklist called: %s()", lcname);
+		    efree(lcname);
+		    zend_bailout();
+		}
+	}
+#endif
 
 	efree(lcname);
 	if (IS_CV != IS_CONST) {
@@ -1635,6 +1781,34 @@
 	if (zend_hash_find(EG(function_table), fname->value.str.val, fname->value.str.len+1, (void **) &EX(function_state).function)==FAILURE) {
 		zend_error_noreturn(E_ERROR, "Unknown function:  %s()", fname->value.str.val);
 	}
+#if HARDENING_PATCH	
+	if (EG(in_code_type) == ZEND_EVAL_CODE) {
+		if (HG(eval_whitelist) != NULL) {
+			if (!zend_hash_exists(HG(eval_whitelist), fname->value.str.val, fname->value.str.len+1)) {
+			    zend_security_log(S_EXECUTOR, "function outside of eval whitelist called: %s()", fname->value.str.val);
+			    zend_bailout();
+			}
+		} else if (HG(eval_blacklist) != NULL) {
+			if (zend_hash_exists(HG(eval_blacklist), fname->value.str.val, fname->value.str.len+1)) {
+			    zend_security_log(S_EXECUTOR, "function within eval blacklist called: %s()", fname->value.str.val);
+			    zend_bailout();
+			}
+		}
+	}
+
+	if (HG(func_whitelist) != NULL) {
+		if (!zend_hash_exists(HG(func_whitelist), fname->value.str.val, fname->value.str.len+1)) {
+		    zend_security_log(S_EXECUTOR, "function outside of whitelist called: %s()", fname->value.str.val);
+		    zend_bailout();
+		}
+	} else if (HG(func_blacklist) != NULL) {
+		if (zend_hash_exists(HG(func_blacklist), fname->value.str.val, fname->value.str.len+1)) {
+		    zend_security_log(S_EXECUTOR, "function within blacklist called: %s()", fname->value.str.val);
+		    zend_bailout();
+		}
+	}
+#endif
+
 	EX(object) = NULL;
 
 	return zend_do_fcall_common_helper_SPEC(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
@@ -1914,7 +2088,12 @@
 				int dummy = 1;
 				zend_file_handle file_handle;
 
-				if (SUCCESS == zend_stream_open(inc_filename->value.str.val, &file_handle TSRMLS_CC)) {
+#if HARDENING_PATCH_INC_PROTECT
+				if (zend_is_valid_include(inc_filename) 
+					&& (SUCCESS == zend_stream_open(inc_filename->value.str.val, &file_handle TSRMLS_CC))) {
+#else
+ 				if (SUCCESS == zend_stream_open(inc_filename->value.str.val, &file_handle TSRMLS_CC)) {
+#endif
 
 					if (!file_handle.opened_path) {
 						file_handle.opened_path = estrndup(inc_filename->value.str.val, inc_filename->value.str.len);
@@ -1939,6 +2118,11 @@
 			break;
 		case ZEND_INCLUDE:
 		case ZEND_REQUIRE:
+#if HARDENING_PATCH_INC_PROTECT
+			if (!zend_is_valid_include(inc_filename)) {
+        			break;
+			}
+#endif
 			new_op_array = compile_filename(opline->op2.u.constant.value.lval, inc_filename TSRMLS_CC);
 			break;
 		case ZEND_EVAL: {
@@ -4345,7 +4529,12 @@
 				int dummy = 1;
 				zend_file_handle file_handle;
 
-				if (SUCCESS == zend_stream_open(inc_filename->value.str.val, &file_handle TSRMLS_CC)) {
+#if HARDENING_PATCH_INC_PROTECT
+				if (zend_is_valid_include(inc_filename) 
+					&& (SUCCESS == zend_stream_open(inc_filename->value.str.val, &file_handle TSRMLS_CC))) {
+#else
+ 				if (SUCCESS == zend_stream_open(inc_filename->value.str.val, &file_handle TSRMLS_CC)) {
+#endif
 
 					if (!file_handle.opened_path) {
 						file_handle.opened_path = estrndup(inc_filename->value.str.val, inc_filename->value.str.len);
@@ -4370,6 +4559,11 @@
 			break;
 		case ZEND_INCLUDE:
 		case ZEND_REQUIRE:
+#if HARDENING_PATCH_INC_PROTECT
+			if (!zend_is_valid_include(inc_filename)) {
+        			break;
+			}
+#endif
 			new_op_array = compile_filename(opline->op2.u.constant.value.lval, inc_filename TSRMLS_CC);
 			break;
 		case ZEND_EVAL: {
@@ -7358,7 +7552,12 @@
 				int dummy = 1;
 				zend_file_handle file_handle;
 
-				if (SUCCESS == zend_stream_open(inc_filename->value.str.val, &file_handle TSRMLS_CC)) {
+#if HARDENING_PATCH_INC_PROTECT
+				if (zend_is_valid_include(inc_filename) 
+					&& (SUCCESS == zend_stream_open(inc_filename->value.str.val, &file_handle TSRMLS_CC))) {
+#else
+ 				if (SUCCESS == zend_stream_open(inc_filename->value.str.val, &file_handle TSRMLS_CC)) {
+#endif
 
 					if (!file_handle.opened_path) {
 						file_handle.opened_path = estrndup(inc_filename->value.str.val, inc_filename->value.str.len);
@@ -7383,6 +7582,11 @@
 			break;
 		case ZEND_INCLUDE:
 		case ZEND_REQUIRE:
+#if HARDENING_PATCH_INC_PROTECT
+			if (!zend_is_valid_include(inc_filename)) {
+        			break;
+			}
+#endif
 			new_op_array = compile_filename(opline->op2.u.constant.value.lval, inc_filename TSRMLS_CC);
 			break;
 		case ZEND_EVAL: {
@@ -19470,7 +19674,12 @@
 				int dummy = 1;
 				zend_file_handle file_handle;
 
-				if (SUCCESS == zend_stream_open(inc_filename->value.str.val, &file_handle TSRMLS_CC)) {
+#if HARDENING_PATCH_INC_PROTECT
+				if (zend_is_valid_include(inc_filename) 
+					&& (SUCCESS == zend_stream_open(inc_filename->value.str.val, &file_handle TSRMLS_CC))) {
+#else
+ 				if (SUCCESS == zend_stream_open(inc_filename->value.str.val, &file_handle TSRMLS_CC)) {
+#endif
 
 					if (!file_handle.opened_path) {
 						file_handle.opened_path = estrndup(inc_filename->value.str.val, inc_filename->value.str.len);
@@ -19495,6 +19704,11 @@
 			break;
 		case ZEND_INCLUDE:
 		case ZEND_REQUIRE:
+#if HARDENING_PATCH_INC_PROTECT
+			if (!zend_is_valid_include(inc_filename)) {
+        			break;
+			}
+#endif
 			new_op_array = compile_filename(opline->op2.u.constant.value.lval, inc_filename TSRMLS_CC);
 			break;
 		case ZEND_EVAL: {
diff -Nura php-5.1.4/Zend/zend_vm_execute.skl hardening-patch-5.1.4-0.4.15/Zend/zend_vm_execute.skl
--- php-5.1.4/Zend/zend_vm_execute.skl	2005-12-01 13:50:58.000000000 +0100
+++ hardening-patch-5.1.4-0.4.15/Zend/zend_vm_execute.skl	2006-09-05 20:31:07.000000000 +0200
@@ -27,6 +27,16 @@
 	EX(symbol_table) = EG(active_symbol_table);
 	EX(prev_execute_data) = EG(current_execute_data);
 	EG(current_execute_data) = &execute_data;
+#if HARDENING_PATCH	
+	EX(execute_depth) = 0;
+
+	if ((op_array->type == ZEND_EVAL_CODE || op_array->created_by_eval)&& EG(in_code_type) != ZEND_SANDBOX_CODE) {
+		EG(in_code_type) = ZEND_EVAL_CODE;
+	} else if (op_array->type == ZEND_SANDBOX_CODE) {
+		EG(in_code_type) = ZEND_SANDBOX_CODE;
+		op_array->type = ZEND_EVAL_CODE;
+	}
+#endif
 
 	EG(in_execution) = 1;
 	if (op_array->start_op) {
@@ -52,6 +62,18 @@
 	 */
 	EX(function_state).function_symbol_table = NULL;
 #endif
+#if HARDENING_PATCH	
+	if (EX(prev_execute_data) == NULL) {
+		EX(execute_depth) = 0;
+	} else {
+		EX(execute_depth) = EX(prev_execute_data)->execute_depth + 1;
+	}
+
+	if (EG(hphp_executor_max_depth) > 0 && EX(execute_depth) > EG(hphp_executor_max_depth)) {
+		zend_security_log(S_EXECUTOR, "Maximum execution depth of %u violated", EG(hphp_executor_max_depth));
+		zend_bailout();
+	}
+#endif
 	
 	while (1) {
     {%ZEND_VM_CONTINUE_LABEL%}